GSON vulnerabilities or exploits on deserialization to avoid

Question

I am planning to use gson's fromJson() method to parse a string coming from the browser. Are there any potential vulnerabilities associated with doing that? The data type I am converting to is relatively simple, a List and a boolean. But since gson uses reflection, is there something for me to watch out for?

For example, with older jvm (pre 6.24), a DOS attack could have been used against integers, where the integer parser would hang.

Can some clever json cause gson to start loading classes it should be?

Answer 1

The thing to watch with Gson is what type of builder you are using (see custom deserializer / serializer)

Gson has another weakness, when you are deserializing, (let's say using a custom one) you better check for the type of object you are passing (use instanceof).

Other main point: Gson will automatically convert the variable based on the type being passed.

ie. { "var1":1 , "var2":"1"} The first one will be converted into an integer, the second based to a string, therefore I would watch out on your objects transformation.

Answer 2

For security reasons, a Gson project developer has recommended to not allow deserialization code to load user-specified class definitions -- deserialization of generic-typed things should be carefully controlled.

Answer 3

It's not that hard to write a JSON parser, and any well-used open source version should be about as safe as one could hope for. Of course, the parser could contain a bug that makes it subject to buffer overrun and the like, but, again, the logic is simple enough that that shouldn't happen if the code is reasonably well written and well reviewed.

A bigger danger is that you yourself might not properly inspect the results of the parse and accept, say, a number that is out of range for your application, or a string that's too long.