-
Notifications
You must be signed in to change notification settings - Fork 539
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Denial of service when parsing too long JSON numbers as double or float #1040
Comments
BTW, The simplest code to reproduce the problem:
Will anybody request a CVE number for this security issue? |
Closing in cleanup run, If anyone cares about this, please comment and I'll reopen. |
I would not close it blindly. It is a security issue, circe is vulnerable under DoS attacks from untrusted inputs that exploit |
as far as I can see, it's fine to close this one, since #1363 remains open (and also includes information about how users can avoid the problem) |
Sub-quadratic decreasing of throughput when length of the JSON number to parse is increasing.
On contemporary CPUs parsing of such JSON numbers that are bound on doubles or floats and has 1000000 decimal digits (~1Mb) can took more than 14 seconds. Below are results of the benchmark where the size parameter is a number of digits to parse:
Reproducible Test Case
To run that benchmarks on your JDK:
sbt
and/or ensure that it already installed properly:jsoniter-scala
repo:The text was updated successfully, but these errors were encountered: