[ 
https://issues.apache.org/jira/browse/WW-5643?focusedWorklogId=1029184&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1029184
 ]

ASF GitHub Bot logged work on WW-5643:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 10/Jul/26 16:44
            Start Date: 10/Jul/26 16:44
    Worklog Time Spent: 10m 
      Work Description: g0w6y commented on PR #1775:
URL: https://github.com/apache/struts/pull/1775#issuecomment-4937525057

   Given this fixes a cross request data leak between concurrent users along 
with a maxDepth limit bypass, should we handle this as a security advisory 
instead of a normal fix? Happy to follow whichever process you prefer, just let 
me know.




Issue Time Tracking
-------------------

    Worklog Id:     (was: 1029184)
    Time Spent: 20m  (was: 10m)

> StrutsJSONReader parse state shared across concurrent requests — maxDepth 
> bypass and cross-request data leak
> ------------------------------------------------------------------------------------------------------------
>
>                 Key: WW-5643
>                 URL: https://issues.apache.org/jira/browse/WW-5643
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Plugin - JSON
>    Affects Versions: 7.2.1
>         Environment: Reproducible under concurrent request load to any action 
> using the
> "json" result type or JSONInterceptor with default settings (no
> special configuration required — maxDepth/maxElements limits are on
> by default). JDK 17, Jackson 2.22.0, any Servlet container. Confirmed
> via a 16-thread contention test against a single shared
> StrutsJSONReader instance.
>            Reporter: Gouri Sankar A
>            Priority: Major
>             Fix For: 7.3.0
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> JSONInterceptor's JSONReader is injected once (@Inject) and reused
> across every concurrent request handled by that interceptor.
> StrutsJSONReader kept its parse cursor, token buffer and nesting-depth
> counter as plain instance fields, so two concurrent read() calls on the
> same instance tear each other's state: a shared depth counter lets
> payloads deeper than the configured maxDepth through, and the shared
> cursor/buffer let fragments of one request's JSON body leak into a
> different, concurrently-parsed request's result.
> Fix: move per-parse state into a ThreadLocal-confined object, scoped to
> a single read() call.
> Fixed by: https://github.com/apache/struts/pull/1775



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to