Gouri Sankar A created WW-5643:
----------------------------------

             Summary: StrutsJSONReader parse state shared across concurrent 
requests — maxDepth bypass and cross-request data leak
                 Key: WW-5643
                 URL: https://issues.apache.org/jira/browse/WW-5643
             Project: Struts 2
          Issue Type: Bug
          Components: Plugin - JSON
    Affects Versions: 7.2.1
         Environment: Reproducible under concurrent request load to any action 
using the
"json" result type or JSONInterceptor with default settings (no
special configuration required — maxDepth/maxElements limits are on
by default). JDK 17, Jackson 2.22.0, any Servlet container. Confirmed
via a 16-thread contention test against a single shared
StrutsJSONReader instance.
            Reporter: Gouri Sankar A


JSONInterceptor's JSONReader is injected once (@Inject) and reused
across every concurrent request handled by that interceptor.
StrutsJSONReader kept its parse cursor, token buffer and nesting-depth
counter as plain instance fields, so two concurrent read() calls on the
same instance tear each other's state: a shared depth counter lets
payloads deeper than the configured maxDepth through, and the shared
cursor/buffer let fragments of one request's JSON body leak into a
different, concurrently-parsed request's result.

Fix: move per-parse state into a ThreadLocal-confined object, scoped to
a single read() call.

Fixed by: https://github.com/apache/struts/pull/1775



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to