NullPointerException in IonParser.nextToken()

[ZanderHuang]

Description

This vulnerability is of Uncaught Exception for java.lang.NullPointerException in com.fasterxml.jackson.dataformat, jackson-dataformat-ion (2.13.0, the latest version) with com.amazon.ion, ion-java (1.8.3, the latest version). Specifically, it fails to check the runtime exception java.lang.NullPointerException in function com.fasterxml.jackson.dataformat.ion.IonParser.nextToken() ( IonParser.java: 506 ).
The attackers can launch DoS (Denial of Service) attacks to any program that directly uses this library (CWE-2248: Uncaught exception).

The vulnerable code:

        // the _reader.next() can throw java.lang.NullPointerException
        IonType type = _reader.next();
        if (type == null) {
        ...

The crash stack:

com.amazon.ion.impl.LocalSymbolTable.readOneImport::LocalSymbolTable.java:681
com.amazon.ion.impl.LocalSymbolTable.prepImportsList::LocalSymbolTable.java:646
com.amazon.ion.impl.LocalSymbolTable.readLocalSymbolTable::LocalSymbolTable.java:304
com.amazon.ion.impl.LocalSymbolTable$Factory.newLocalSymtab::LocalSymbolTable.java:68
com.amazon.ion.impl.IonReaderBinaryUserX.has_next_helper_user::IonReaderBinaryUserX.java:252
com.amazon.ion.impl.IonReaderBinaryUserX.hasNext::IonReaderBinaryUserX.java:222
com.amazon.ion.impl.IonReaderBinaryUserX.next::IonReaderBinaryUserX.java:208
com.fasterxml.jackson.dataformat.ion.IonParser.nextToken::IonParser.java:506
com.fasterxml.jackson.databind.ObjectMapper._readTreeAndClose::ObjectMapper.java:4649
com.fasterxml.jackson.databind.ObjectMapper.readTree::ObjectMapper.java:3074
com.test.Entry.main::Entry.java:51

Proof of Concept

• download the program that uses jackson and built it

cd bug_reproduce_program_jackson_ion
bash build.sh

• use one of the poc to trigger the crash

java -jar built-target-program.jar pocfile

Fix suggestion

Wrap this kind of exception as a type of exception the library provided, e.g. IonException. Maybe the fix should not only in jackson but also in its dependent ion-java package.

Impact

The attackers can launch DoS (Denial of Service) attacks to any program that directly uses this library (CWE-2248: Uncaught exception).

[cowtowncoder]

Thank you for reporting this issue: sounds like sub-optimal handling.

I am not sure I see DoS aspect itself as exceptions are the mechanism to use for many kinds of invalid data, but in this case handling should produce package-specified exception, not accidental NPE.

[cowtowncoder]

I added a failing unit test for this one, but I do think actual fix needs to go in ion-java; Jackson cannot prevent it from being thrown and so any performance problems are already incurred even if caught by IonParser -- and adding NPE catching in there just seems incorrect to me.

@mcliedtke @jobarr-amzn do you know what'd be a good way to report this to streaming Ion codec?
Test is UncaughtException303Test and uses a small broken Ion doc from under ion/src/test/resources//data/issue-303.ion to trigger NPE.

[jobarr-amzn]

I'm taking a look- will open an issue in ion-java as necessary.

[cowtowncoder]

Hi @jobarr-amzn! I assume you haven't had a chance to look into this but thought I'd ping just in case.