[
https://issues.apache.org/jira/browse/WW-5643?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lukasz Lenart updated WW-5643:
------------------------------
Fix Version/s: 7.3.0
> StrutsJSONReader parse state shared across concurrent requests — maxDepth
> bypass and cross-request data leak
> ------------------------------------------------------------------------------------------------------------
>
> Key: WW-5643
> URL: https://issues.apache.org/jira/browse/WW-5643
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - JSON
> Affects Versions: 7.2.1
> Environment: Reproducible under concurrent request load to any action
> using the
> "json" result type or JSONInterceptor with default settings (no
> special configuration required — maxDepth/maxElements limits are on
> by default). JDK 17, Jackson 2.22.0, any Servlet container. Confirmed
> via a 16-thread contention test against a single shared
> StrutsJSONReader instance.
> Reporter: Gouri Sankar A
> Priority: Major
> Fix For: 7.3.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> JSONInterceptor's JSONReader is injected once (@Inject) and reused
> across every concurrent request handled by that interceptor.
> StrutsJSONReader kept its parse cursor, token buffer and nesting-depth
> counter as plain instance fields, so two concurrent read() calls on the
> same instance tear each other's state: a shared depth counter lets
> payloads deeper than the configured maxDepth through, and the shared
> cursor/buffer let fragments of one request's JSON body leak into a
> different, concurrently-parsed request's result.
> Fix: move per-parse state into a ThreadLocal-confined object, scoped to
> a single read() call.
> Fixed by: https://github.com/apache/struts/pull/1775
--
This message was sent by Atlassian Jira
(v8.20.10#820010)