Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fail earlier on coercions from "too big" BigInteger into fixed-size types (int, long, short) #488

Closed
cowtowncoder opened this issue Oct 16, 2018 · 2 comments
Closed

Fail earlier on coercions from "too big" BigInteger into fixed-size types (int, long, short) #488

cowtowncoder opened this issue Oct 16, 2018 · 2 comments
Milestone
2.9.8

Comments

@cowtowncoder
Copy link
Member

(note: offshoot of FasterXML/jackson-databind#2157)

There is a potential Denial-of-Service attack vector in which attacker may include long BigIntegers, with size like 1 million digits (which is still feasible to send), targeted at processing that expects one of Java's fixed-length "small" integer types (int, long most commonly), and cause asymmetrically high processing load. This because JDK's conversion from BigInteger to these types is surprisingly slow; and because Jackson tries to retain accuracy
cowtowncoder added a commit that referenced this issue Oct 16, 2018
@cowtowncoder
Start work on #488
a51fb6d
@cowtowncoder
Copy link
Member Author

Note to self: first patch covers cases where int, long are expected for _parseSlowInt(). But it was suggested cases for float and double (from JSON integer) should also be handled -- this is probably true, but I need to make sure I understand where this code path comes from, and then apply appropriately.

cowtowncoder added a commit that referenced this issue Oct 20, 2018
@cowtowncoder
More work for #488, now handling coercions to double, float bette…
b6c54cf 
…r to avoid drastic performance issue as per suggestions by @wujimin
cowtowncoder added a commit that referenced this issue Oct 30, 2018
@cowtowncoder
Update release notes wrt #488
29a438d
@cowtowncoder cowtowncoder modified the milestones: 2.9.0, 2.9.8 Oct 30, 2018
@cowtowncoder
Copy link
Member Author

I think I will consider first part done; if and when potential gaps are found let's create new issues.

@enortonAtAdobe enortonAtAdobe mentioned this issue Jan 8, 2019
Merged
10 tasks
@GFriedrich GFriedrich mentioned this issue Jan 10, 2019
Closed
@QiAnXinCodeSafe QiAnXinCodeSafe mentioned this issue Oct 9, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.9.8
Development

No branches or pull requests
1 participant
@cowtowncoder