Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-8435

JsonMapObjectReaderWriter doesn't escape double quotes

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.4.1
    • Fix Version/s: 3.4.4, 3.3.11
    • Component/s: JAX-RS
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      JsonMapObjectReaderWriter doesn't escape double quotes in JWT claim values. The method "toJsonInternal" appends String values without any modifications/checks.

       

      If the value of a claim contains double quotes, it's possible to manipulate the generated JSON. This is especially problematic if user supplied values are included.

       

      I've added an example program where the expiration of a JWT is set to 5 minutes. The value of the claim "userInput" is set to <<a","exp":9999999999,"b":"x>>.

      JwsJwtCompactProducer (using JsonMapObjectReaderWriter) generates this JSON body:  {"exp":1615227615,"userInput":"a","exp":9999999999,"b":"x"}

       

      If the parsing library (like CXF itself) overwrites duplicate claims, the last occurence of a claim wins. This allows a malicious user to manipulate server generated claims with his own values.

        Attachments

        1. TestJson.java
          1 kB
          Alonso Gonzalez

          Issue Links

            Activity

              People

              • Assignee:
                coheigea Colm O hEigeartaigh
                Reporter:
                a.gonzalez Alonso Gonzalez
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: