hjson-lua vulnerable to denial of service

[scacaca]

Summary

hjson-lua vulnerable to denial of service Cause by crafted input。

Description

An issue in hjson-lua allows attackers to cause a Denial of Service (DoS) via supplying a crafted JSON string to string a StringIndexOutOfBoundsException.

There is a similar vulnerability
The relevent code is in file1
eg. the local function parseMultilineString(s, _end)

Patch

The fix logic can be similar to this

Credit

The vulnerability was discovered by chaojie Xiong (FUDAN University, sslwork2023 @163.com)
mingda GUO(FUDANUniversity,22110240064@m.fudan.edu.cn)
zhang Lei(fUDAN University,zxl@fudan. edu.cn)
DongLai Zhu(FUDAN University)
YangchacLiu(FUDAN University,23210860056@m.fudan.edu.cn)

[cryi]

I don't believe this affects hjson-lua. Could you please provide a reproducible example or at least a sample of the crafted input to confirm?

[scacaca]

it seem to this
String jsonString = "[\n[\n=\n[[\'\'\'\'\'\'";

[cryi]

Hi @scacaca, thank you for the examples.

Regarding denial of service, these cases aren't DoS attacks. Additionally, the suggested string is not valid HJSON or JSON, so an error is expected, isn't it?

NOTE: The functions you mentioned are not part of the public contract and are not intended for use by downstream projects.

[cryi]

Hi @scacaca,

Since there's no further information, I'm closing this issue. If you find evidence that these functions misbehave, please open a new one. 🙏🏻