Denial of service when parsing too long JSON numbers as double or float

[plokhotnyuk]

Sub-quadratic decreasing of throughput when length of the JSON number to parse is increasing.

On contemporary CPUs parsing of such JSON numbers that are bound on doubles or floats and has 1000000 decimal digits (~1Mb) can took more than 14 seconds. Below are results of the benchmark where the size parameter is a number of digits to parse:

[info] REMEMBER: The numbers below are just data. To gain reusable insights, you need to follow up on
[info] why the numbers are the way they are. Use profilers (see -prof, -lprof), design factorial
[info] experiments, perform baseline and negative tests that provide experimental control, make sure
[info] the benchmarking environment is safe on JVM/OS/HW level, ask for reviews from the domain experts.
[info] Do not assume the numbers tell you what you want them to tell.
[info] Benchmark                              (size)   Mode  Cnt         Score         Error  Units
[info] DoubleBenchmark.readCirce                   1  thrpt    5  13406952.737 ± 2032432.395  ops/s
[info] DoubleBenchmark.readCirce                  10  thrpt    5  10997675.235 ±  619560.310  ops/s
[info] DoubleBenchmark.readCirce                 100  thrpt    5    351697.951 ±    4377.854  ops/s
[info] DoubleBenchmark.readCirce                1000  thrpt    5     19590.316 ±    1601.505  ops/s
[info] DoubleBenchmark.readCirce               10000  thrpt    5       482.626 ±       2.149  ops/s
[info] DoubleBenchmark.readCirce              100000  thrpt    5         6.579 ±       0.629  ops/s
[info] DoubleBenchmark.readCirce             1000000  thrpt    5         0.071 ±       0.005  ops/s

Reproducible Test Case

To run that benchmarks on your JDK:

1. Install latest version of sbt and/or ensure that it already installed properly:

sbt about

2. Clone jsoniter-scala repo:

git clone https://github.com/plokhotnyuk/jsoniter-scala.git

3. Enter to the cloned directory and checkout for the specific branch:

cd jsoniter-scala
git checkout circe-DoS-for-doubles-and-floats

4. Run benchmarks using a path parameter to your JDK:

sbt -no-colors 'jsoniter-scala-benchmark/jmh:run -jvm /usr/lib/jvm/jdk-11/bin/java -wi 2 -i 5 DoubleBenchmark.*Circe.*'

[plokhotnyuk]

BTW, BigDecimal and BigInt types are still vulnerable.

The simplest code to reproduce the problem:

io.circe.parser.decode[BigInt]("9" * 1000000)

Will anybody request a CVE number for this security issue?

[hamnis]

Closing in cleanup run, If anyone cares about this, please comment and I'll reopen.

[plokhotnyuk]

I would not close it blindly.

It is a security issue, circe is vulnerable under DoS attacks from untrusted inputs that exploit O(n^2) complexity of BigInt parsing.

[SethTisue]

as far as I can see, it's fine to close this one, since #1363 remains open (and also includes information about how users can avoid the problem)