[GHSA-92jh-gwch-jq38] PocketMine-MP server crash with certain invalid JSON payloads in LoginPacket due to dependency vulnerability (again)
#4371
Conversation
|
Hi there @dktapps! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
bot
changed the base branch from
main
to
SvenRtbg/advisory-improvement-4371
|
List of invalid security issues: |
|
Not sure I agree with this change. The fork was created to mitigate the aforementioned security issues in PocketMine-MP by closing loopholes in JsonMapper's validation. I acknowledge that these automated reports tarring JsonMapper with "severe" security issues on account of PM is unjustified considering the scope of the library, but I do think the report is still correct. Perhaps the report could be rephrased to say something like "behaviour unexpected by PocketMine-MP" or something to that effect. Not sure if that would make these security report scrapers stop complaining though. |
|
Just picking some statement from the first issue: I won't directly reject the notion that by using JsonMapper, a denial of service attack could be possible. However stating that JsonMapper has a problem that allows denial of service IN EVERY CASE is wrong. The security report is poorly written, and was picked up by consumers that published it in an automated fashion, now creating doubts if a software is in danger of denial of service attacks (which seems to only happen to your specific software due to very specific circumstances). Unfortunately no report I have seen properly states what has to happen to trigger the issue. It only is yelling of "DENIAL OF SERVICE", high severity numbers, thus validating that subscribing to any of these services is doing something useful. Would you work with me trying to identify what seems to be the issue here? I have created this cweiske/jsonmapper#233 to discuss what should be the proper handling of NULL values in arrays. However I am not confident your issue matches my observation. To be specific, I would very much like to see the "malformed JSON" mentioned in the quote above, and the target mapped objects this is suppose to be transformed into. |
|
Just as a reminder, I have received your cweiske/jsonmapper#226 issue statement, but got no response after initial discussion where you'd defend your point. I don't state your claim is invalid. I would consider it to be somewhat lacking the interesting details, for example: What would you expect in the mentioned situation? And in addition, your issue does not at all refer to any JWT or |
Yeah, that's correct.
The issue provides the minimal reproducing code for the issue in JsonMapper. The PocketMine security report goes into surrounding detail to explain how the problem occurs in PM's case, but that's not relevant to JsonMapper. The only important stuff for JsonMapper is the JSON validation.
The associated issues for this security report would be these: cweiske/jsonmapper#211, cweiske/jsonmapper#233 There are currently 3 outstanding issues that I encountered:
I've responded to some of your other comments directly on the relevant issues. |
|
I've updated the advisories in question to make it clearer; let me know if you think it still needs improvement Not sure if the changes will get automatically reflected on this repo or not |
Updates
Comments
This report only is relevant to pocketmine/pocketmine-mp because that repo contains the class
LoginPacketthat does not properly validate the input values. The relevant package dealing with mapping JSON to PHP classes is a fork in https://github.com/pmmp/netresearch-jsonmapperThis report does not affect the original JsonMapper library, as having NULL entries in arrays is a defined and tested use case (admittedly an unexpected one). The original project has received several invalid vulnerability reports because of this incorrect attribution, as multiple "security report collector" companies spread this incorrect information through channels beyond the maintainers control.