Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add safe Jackson deserializers to prevent a DoS attack
Jackson uses `BigDecimal` for deserilization of `java.time` instants and durations. The problem is that if the users sets a very big number in the scientific notation (like `1e1000000000`), it takes forever to convert `BigDecimal` to `BigInteger` to convert it to a long value. An example of the stack trace: ``` @test(timeout = 2000) public void parseBigDecimal(){ new BigDecimal("1e1000000000").longValue(); } at java.math.BigInteger.squareToomCook3(BigInteger.java:2074) at java.math.BigInteger.square(BigInteger.java:1899) at java.math.BigInteger.squareToomCook3(BigInteger.java:2053) at java.math.BigInteger.square(BigInteger.java:1899) at java.math.BigInteger.squareToomCook3(BigInteger.java:2051) at java.math.BigInteger.square(BigInteger.java:1899) at java.math.BigInteger.squareToomCook3(BigInteger.java:2049) at java.math.BigInteger.square(BigInteger.java:1899) at java.math.BigInteger.squareToomCook3(BigInteger.java:2049) at java.math.BigInteger.square(BigInteger.java:1899) at java.math.BigInteger.squareToomCook3(BigInteger.java:2055) at java.math.BigInteger.square(BigInteger.java:1899) at java.math.BigInteger.squareToomCook3(BigInteger.java:2049) at java.math.BigInteger.square(BigInteger.java:1899) at java.math.BigInteger.pow(BigInteger.java:2306) at java.math.BigDecimal.bigTenToThe(BigDecimal.java:3543) at java.math.BigDecimal.bigMultiplyPowerTen(BigDecimal.java:3676) at java.math.BigDecimal.setScale(BigDecimal.java:2445) at java.math.BigDecimal.toBigInteger(BigDecimal.java:3025) ``` A fix would be to reject big decimal values outside of the Instant and Duration ranges. See: [1] FasterXML/jackson-databind#2141 [2] https://reddit.com/r/java/comments/9jyv58/lowbandwidth_dos_vulnerability_in_jacksons/
- Loading branch information