Gouri Sankar A created WW-5643:
----------------------------------
Summary: StrutsJSONReader parse state shared across concurrent
requests — maxDepth bypass and cross-request data leak
Key: WW-5643
URL: https://issues.apache.org/jira/browse/WW-5643
Project: Struts 2
Issue Type: Bug
Components: Plugin - JSON
Affects Versions: 7.2.1
Environment: Reproducible under concurrent request load to any action
using the
"json" result type or JSONInterceptor with default settings (no
special configuration required — maxDepth/maxElements limits are on
by default). JDK 17, Jackson 2.22.0, any Servlet container. Confirmed
via a 16-thread contention test against a single shared
StrutsJSONReader instance.
Reporter: Gouri Sankar A
JSONInterceptor's JSONReader is injected once (@Inject) and reused
across every concurrent request handled by that interceptor.
StrutsJSONReader kept its parse cursor, token buffer and nesting-depth
counter as plain instance fields, so two concurrent read() calls on the
same instance tear each other's state: a shared depth counter lets
payloads deeper than the configured maxDepth through, and the shared
cursor/buffer let fragments of one request's JSON body leak into a
different, concurrently-parsed request's result.
Fix: move per-parse state into a ThreadLocal-confined object, scoped to
a single read() call.
Fixed by: https://github.com/apache/struts/pull/1775
--
This message was sent by Atlassian Jira
(v8.20.10#820010)