Skip to content

Latest commit

 

History

History
41 lines (34 loc) · 4.74 KB

threat-modeling.md

File metadata and controls

41 lines (34 loc) · 4.74 KB

Threat Model Analysis for jamesnk/newtonsoft.json

Threat: Remote Code Execution (RCE) via TypeNameHandling

  • Threat: Remote Code Execution (RCE) via TypeNameHandling
    • Description: An attacker crafts a malicious JSON payload that includes a "$type" property specifying a dangerous .NET type. When Json.NET deserializes this payload with TypeNameHandling enabled (e.g., TypeNameHandling.Auto, TypeNameHandling.Objects, or TypeNameHandling.All), it instantiates the specified type. If the attacker can specify a type that has a vulnerable constructor, property setter, or method called during deserialization, they can execute arbitrary code within the application's context. This often involves leveraging existing types within the application or its dependencies (gadget chains).
    • Impact: Complete compromise of the application and potentially the underlying server. The attacker gains full control.
    • Affected Component: JsonSerializer, JsonSerializerSettings.TypeNameHandling, ISerializationBinder (if improperly implemented). The core deserialization logic is the primary concern.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Disable TypeNameHandling: The most effective mitigation is to avoid using TypeNameHandling altogether if polymorphic deserialization is not strictly required. Set TypeNameHandling to None.
      • Strict SerializationBinder: If TypeNameHandling must be used, implement a custom ISerializationBinder that whitelists only known, safe types. This binder should never allow arbitrary types based on user input. A robust, well-tested SerializationBinder is essential if TypeNameHandling is enabled.
      • Avoid Untrusted Input: Never deserialize JSON from untrusted sources with TypeNameHandling enabled, even with a SerializationBinder. The risk is too high.
      • Input Validation (Pre-Deserialization): While not a complete solution, validating the JSON structure before deserialization can help prevent some attacks. Look for and reject unexpected "$type" properties.
      • Least Privilege: Run the application with the lowest possible privileges to limit the damage an attacker can cause.

Threat: Denial of Service (DoS) via Deeply Nested Objects

  • Threat: Denial of Service (DoS) via Deeply Nested Objects
    • Description: An attacker sends a JSON payload containing deeply nested objects (e.g., arrays within arrays within arrays...). Processing this payload can consume excessive stack space or CPU resources, leading to a stack overflow or application hang, effectively causing a denial of service.
    • Impact: Application unavailability. Users cannot access the service.
    • Affected Component: JsonSerializer, JsonReader, JsonSerializerSettings.MaxDepth. The parsing and deserialization logic is affected.
    • Risk Severity: High
    • Mitigation Strategies:
      • Limit MaxDepth: Configure JsonSerializerSettings.MaxDepth to a reasonable value (e.g., 10-20). This limits the maximum depth of nested objects that Json.NET will process.
      • Input Size Limits: Enforce strict limits on the overall size of the JSON payload being processed.
      • Resource Monitoring: Monitor CPU and memory usage during deserialization. Terminate processing if thresholds are exceeded.
      • Input Validation: Validate the structure of the JSON before deserialization to detect and reject excessively nested structures.

Threat: Denial of Service (DoS) via Large String Allocation

  • Threat: Denial of Service (DoS) via Large String Allocation
    • Description: An attacker sends a JSON payload containing extremely long strings. Deserializing these strings can consume large amounts of memory, potentially leading to an OutOfMemoryException and a denial of service.
    • Impact: Application unavailability due to memory exhaustion.
    • Affected Component: JsonSerializer, JsonReader. The string handling during parsing and deserialization is the key area.
    • Risk Severity: High
    • Mitigation Strategies:
      • Input Size Limits: Enforce strict limits on the overall size of the JSON payload.
      • String Length Limits: Implement checks to limit the maximum length of individual strings within the JSON payload before deserialization.
      • Resource Monitoring: Monitor memory usage during deserialization and terminate processing if thresholds are exceeded.