[Eclipse Parsson] DoS vulnerability
<!--Note that this issue is configured (see the quick actions at the bottom) to be created as confidential.
Note that a vulnerability does not need to actually be resolved before it is reported and that these reports can be revised as needed (reopen the issue to request changes).
If you do not know how to fill certain fields, mark that in the comment and we will help you.
You can delete the comments (or not).-->
<!--Required. Specify the project's name (e.g., "Eclipse Dash") and Eclipse Foundation ID, e.g., "technology.dash".-->
## Basic information
**Project name:** Eclipse Parsson
**Project id:** https://github.com/eclipse-ee4j/parsson
## What are the affected versions?
All
## Details of the issue
It's possible to cause an Out of Memory Error resulting in a Denial of Service by sending a sufficiently large json string to Parsson. This is particularly problematic for applications which accept `"application/json"` on public endpoints.
## Steps to reproduce
```java
try (JsonReader reader = factory.createReader(new StringReader(json))) {
reader.readObject();
}
```
For the above, if a large enough `json` String is passed in, it will cause an Out of Memory Error. From testing Parsson uses \~7-8x the memory of the json being parsed to do the parsing, so a heap of 512MB can be exhausted by a 100MB json file.
Where this becomes particularly problematic is for a Restful Web Services endpoint that uses Json Binding like this:
```java
@POST
@Path("/box")
@Consumes(MediaType.APPLICATION_JSON)
public void processBox(Box box) {
```
For that endpoint, when Parsson processes the Json, if a large enough Json file is sent via the POST request, it will cause an OOM Error.
## Do you know any mitigations of the issue?
No known mitigations, but I do have a fix created locally. It sets a configurable limit for what the parser will parse before throwing an exception. It uses a reasonable default that allows parsing files around 13MB (greater than the more common limit I've seen of 10MB) while keeping memory under 100MB, which should fit even on a very small VM.
I'm happy to open a PR, but I want the project team informed ahead of time so it can be merged and a new release created relatively quickly. Parsson isn't a particularly active project and I don't want to have the PR sitting around explaining the exploit without a fixed version available.
<!--Please, do not remove the line below. It will create a confidential issue that will be visible
only to you and the members of this project. Confidential issues are used to keep security
vulnerabilities private until they are sorted out.
Eclipse Projects follow Responsible Disclosure best practices: the initial report is made privately,
but with the full details being published once a patch has been made available (sometimes with
a delay to allow more time for the patches to be installed).-->
issue