Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "Analysis of Service paralysis caused by fastjson vulnerabilities". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

1. Background

   September 5, 2019, fastjson fixed a problem that could cause OOM when a string contains\ x escape characters. It is recommended that users upgrade the fastjson version to at least 1.2.60.

   a bug so horrible, unexpectedly direct OOM, personally experience it. The test code is as follows:

JSON.parse ("[{\" a\ ":\" a\\ x] ")

Experimental results: heap memory consumption increased to 2G in 4 minutes

2. Business exception after fastjson upgrade

A few days after the upgrade of    fastjson, an exception occurred in an old system business. The exception message is as follows:

Exception in thread "xxx" com.alibaba.fastjson.JSONException: expect':'at 0 Actual = at com.alibaba.fastjson.parser.DefaultJSONParser.parseObject (DefaultJSONParser.java:290) at com.alibaba.fastjson.parser.DefaultJSONParser.parse (DefaultJSONParser.java:1380) at com.alibaba.fastjson.parser.DefaultJSONParser.parse (DefaultJSONParser.java:1346) at com.alibaba.fastjson.JSON.parse (JSON.java:156) at com.alibaba.fastjson.JSON.parse (JSON.java:166) at com.alibaba .fastjson.JSON.parse (JSON.java:135) at com.alibaba.fastjson.JSON.parseObject (JSON.java:227) at alibaba.fastjson.FastJsonBug.main (FastJsonBug.java:70)

When    looks at this error, it must be an error in the format of the json string. The place where the colon should be is actually the equal sign, which leads to a deserialization exception and decisively troubleshoots the interface input parameters. As a result, everything is normal. Nani.

   all right, then the local debug, the result is unexpectedly in the local reproduction of the abnormal, shocked! Check the interface input parameters again, no problem, and the previous normal operation of the input parameters is the same. Think of the recent upgrade of fastjson, restore the fastjson version to try. It's really normal after the restore!

   is the fastjson version upgraded to a big bug?

   in the spirit of trust in Ali technology, I decided to find out.

3. Find out the truth

The data to be deserialized by    is in the format of layer 2 List nesting. The test code has been desensitized (see the github address below for the complete source code):

String json = "{\" bvos\ ": [{\" names\ ": [\" zxiaofan\ "]}}"; JSONObject jsonObjectB1 = GSON.fromJson (json, JSONObject.class); JSONArray jsonArrayB = jsonObjectB1.getJSONArray ("bvos"); JSONObject jsonObjectB2 = JSONObject.parseObject (jsonArrayB.get (0). ToString ()); / / the above line of code is directly abnormal. The exception message is as follows: / / com.alibaba.fastjson.JSONException: expect':'at 0, actual =

   curiosity babies don't worry about why they don't define entities and then use TypeReference in one step. This is true of thousand-year-old code, and this is not the focus of this article.

   found through debug that the value of jsonArrayB.get (0). ToString () is {names= [zxiaofan]}. Notice that names is followed by an equal sign, not a colon, which explains why the exception is "expect":'at 0, actual = ".

   but why is it abnormal after upgrade, and everything is normal without upgrade? Continue to study, after combing, found the following noteworthy points:

1. Fastjson version 1.2.54 is normal, but it will be abnormal if it is greater than 1.2.54.

2. The running code is a mixture of Google's Gson and Ali's fastjson (all json processing is changed to fastjson)

  , is it caused by the Gson incompatibility between fastjson and Google after upgrade?

It was as if I saw the dawn.

   compared and analyzed fastjson version 1.2.54 with subsequent versions (the following is 1.2.55 as an example) and found that getJSONArray (String key) is really different.

/ / fastjson 1.2.54 public JSONArray getJSONArray (String key) {Object value = this.map.get (key); if (value instanceof JSONArray) {return (JSONArray) value;} else {return value instanceof String? (JSONArray) JSON.parse ((String) value): (JSONArray) toJSON (value);} / / fastjson 1.2.55 public JSONArray getJSONArray (String key) {Object value = this.map.get (key); if (value instanceof JSONArray) {return (JSONArray) value;} else if (value instanceof List) {return new JSONArray ((List) value) } else {return value instanceof String? (JSONArray) JSON.parse ((String) value): (JSONArray) toJSON (value);}}

After debugging,    found that version 1.2.54 used (JSONArray) toJSON (value) in the getJSONArray (String key) method, while version 1.2.55 used return new JSONArray ((List) value) in the getJSONArray (String key) method. The data returned by the two processes is indeed different.

Fastjson version 1.2.54:

Fastjson version 1.2.55:

   from the debugging point of view, 1.2.54 version of the final return is the JSONObect,1.2.55 version returned is LinkedTreeMap. The structure of the Map structure toString () must be "key=value", not json structure.

   but if you replace GSON.fromJson in the test code with JSON.parseObject, it will work fine regardless of the version of fastjson.

   so far, we know that after fastjson is upgraded to version 1.2.55 or above, the data compatibility of getJSONArray method after Gson processing of Google is reduced. Perhaps the name of this article is "bug caused by mixed use of fastjson and Gson".

   does not know whether this is bug, but gives the official issue: > fastjson version upgrade to reduce the compatibility with Gson # 2814.

4. Learn how to deal with various data types in fastjson

In the process of analysis,    looked at the way the getJSONArray method in fastjson handles various data types. Compared with the similar code he wrote before, the fastjson code is more elegant and worth learning. The related method com.alibaba.fastjson.JSON.toJSON (), interested students can take a look.

/ / the code here only shows the core structure. To see the complete code, please go to github/fastjson. / / toJSON is simply a template for data type classification processing. @ zxiaofan@SuppressWarnings ("unchecked") public static Object toJSON (Object javaObject, SerializeConfig config) {if (javaObject = = null) {return null;} if (javaObject instanceof JSON) {return javaObject } if (javaObject instanceof Map) {if (map instanceof LinkedHashMap) {} else if (map instanceof TreeMap) {} else {innerMap = new HashMap (size);} return json } if (javaObject instanceof Collection) {for (Object item: collection) {} return array;} if (javaObject instanceof JSONSerializable) {return JSON.parse (json);} Class clazz = javaObject.getClass (); if (clazz.isEnum ()) {return ((Enum) javaObject). Name () } if (clazz.isArray ()) {for (int I = 0; I < len; + + I) {} return array;} if (ParserConfig.isPrimitive2 (clazz)) {return javaObject;} ObjectSerializer serializer = config.getObjectWriter (clazz); if (serializer instanceof JavaBeanSerializer) {return json } String text = JSON.toJSONString (javaObject); return JSON.parse (text);} "Analysis of Service paralysis caused by fastjson vulnerabilities" ends here. Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.