Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add safe Jackson deserializers to prevent a DoS attack
Jackson uses `BigDecimal` for deserilization of `java.time` instants
and durations. The problem is that if the users sets a very
big number in the scientific notation (like `1e1000000000`), it
takes forever to convert `BigDecimal` to `BigInteger` to convert it to a long value. An example of the stack trace:
```
@test(timeout = 2000)
public void parseBigDecimal(){
new BigDecimal("1e1000000000").longValue();
}
at java.math.BigInteger.squareToomCook3(BigInteger.java:2074)
at java.math.BigInteger.square(BigInteger.java:1899)
at java.math.BigInteger.squareToomCook3(BigInteger.java:2053)
at java.math.BigInteger.square(BigInteger.java:1899)
at java.math.BigInteger.squareToomCook3(BigInteger.java:2051)
at java.math.BigInteger.square(BigInteger.java:1899)
at java.math.BigInteger.squareToomCook3(BigInteger.java:2049)
at java.math.BigInteger.square(BigInteger.java:1899)
at java.math.BigInteger.squareToomCook3(BigInteger.java:2049)
at java.math.BigInteger.square(BigInteger.java:1899)
at java.math.BigInteger.squareToomCook3(BigInteger.java:2055)
at java.math.BigInteger.square(BigInteger.java:1899)
at java.math.BigInteger.squareToomCook3(BigInteger.java:2049)
at java.math.BigInteger.square(BigInteger.java:1899)
at java.math.BigInteger.pow(BigInteger.java:2306)
at java.math.BigDecimal.bigTenToThe(BigDecimal.java:3543)
at java.math.BigDecimal.bigMultiplyPowerTen(BigDecimal.java:3676)
at java.math.BigDecimal.setScale(BigDecimal.java:2445)
at java.math.BigDecimal.toBigInteger(BigDecimal.java:3025)
```
A fix would be to reject big decimal values outside of the Instant
and Duration ranges.
See:
[1] FasterXML/jackson-databind#2141
[2] https://reddit.com/r/java/comments/9jyv58/lowbandwidth_dos_vulnerability_in_jacksons/- Loading branch information
