You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A server using canonical JSON could be attacked by submitting a JSON object such as:
{
"int" : 1e1000000000
}
This would be expanded to occupy a gigabyte of memory as the integer is rendered into canonical form. The ability to place a very high load on the server's memory for very small messages can easily be used to cause a denial of service attack.
To rectify this, I suggest that the canonical form for integers be changed to specify a maximum number of trailing zeros. I suggest two possible rules:
Put all integers into their most compact representation. If an integer has 3 or more trailing zeros, it should have an exponential component, so "1000" becomes "1e3". This provides a consistent representation for all integers and completely blocks the attack.
or
Put all integers with 20 or more trailing zeros into exponential form. A number with 21 or more total digits cannot be expressed in 64 bits so exceeds the precision of common integer representations. This still permits the expansion of "1e19" but that is only a five fold increase in size. I think this provides a reasonable limit on the use of trailing zeros which would affect a very small number of existing documents.
The text was updated successfully, but these errors were encountered:
A server using canonical JSON could be attacked by submitting a JSON object such as:
This would be expanded to occupy a gigabyte of memory as the integer is rendered into canonical form. The ability to place a very high load on the server's memory for very small messages can easily be used to cause a denial of service attack.
To rectify this, I suggest that the canonical form for integers be changed to specify a maximum number of trailing zeros. I suggest two possible rules:
or
The text was updated successfully, but these errors were encountered: