BUG#34728259: return unsafe numeric field values as strings

ruiquelhas · ruiquelhas · commit 4f1c0e25cf44 · 2022-10-27T14:50:43.000+01:00
When retrieving records in a JSON column, if a field contains an unsafe
numeric value, it is parsed as a JavaScript number from the
corresponding result set. This means that applications are dealing with
values that are loosing precision.

The reason for this to happen is that the connector is parsing JSON
strings as their corresponding plain JavaScript object counterparts for
the sake of convenience. This creates a problem wherein the native
"JSON.parse()" API automatically coerces a numeric value of a field to
the a JavaScript number and there is no way to override that behavior,
even using a "reviver", because the value is already coerced by that
point.

This patch addresses the issue by introducing a 3rd-party JSON parser
which is capable of "reviving" unsafe big numbers (which loose precision
when represented by JavaScript numbers), or even all numeric values as
JavaScript strings. This is the strategy already in place to parse
unsafe numeric values from explicit column data types such as BIGINT and
DECIMAL.

Change-Id: I30ad08d6088cf4d7388ec78d71c63119de5e34ad
diff --git a/lib/Protocol/Wrappers/Messages/Resultset/Row.js b/lib/Protocol/Wrappers/Messages/Resultset/Row.js
@@ -30,6 +30,7 @@
 
 'use strict';
 
+const JSON = require('../../../../json');
 const ResultsetStub = require('../../../Stubs/mysqlx_resultset_pb');
 const ServerMessagesStub = require('../../../Stubs/mysqlx_pb').ServerMessages;
 const bytes = require('../../ScalarValues/bytes');
@@ -171,7 +172,7 @@ function decodeOpaqueByteString (decoder, options) {
         return data;
     }
 
-    return JSON.parse(data);
+    return JSON(data).parse({ unsafeNumberAsString: true });
 }
 
 /**
diff --git a/lib/json.js b/lib/json.js
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 2022, Oracle and/or its affiliates.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License, version 2.0, as
+ * published by the Free Software Foundation.
+ *
+ * This program is also distributed with certain software (including
+ * but not limited to OpenSSL) that is licensed under separate terms,
+ * as designated in a particular file or component or in included license
+ * documentation.  The authors of MySQL hereby grant you an
+ * additional permission to link the program and your derivative works
+ * with the separately licensed software that they have included with
+ * MySQL.
+ *
+ * Without limiting anything contained in the foregoing, this file,
+ * which is part of MySQL Connector/Node.js, is also subject to the
+ * Universal FOSS Exception, version 1.0, a copy of which can be found at
+ * http://oss.oracle.com/licenses/universal-foss-exception.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the GNU General Public License, version 2.0, for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
+ */
+
+'use strict';
+
+const { isNumber, isSafeNumber, parse } = require('lossless-json');
+
+/**
+ * Custom JSON module that extends the functionality provided by the native
+ * JSON object.
+ * @private
+ * @param {string} json - A valid JSON string.
+ * @returns
+ */
+module.exports = (json) => ({
+    /**
+     * Parse the JSON string as a plain JavaScript object given specific
+     * transformation rules for large numeric values which loose precision
+     * if represented as JavaScript numbers.
+     * @private
+     * @param {boolean} [unsafeNumberAsString] - An option used to instruct
+     * the parser to return unsafe numeric values as JavaScript strings.
+     * @returns A plain JavaScript object.
+     */
+    parse ({ unsafeNumberAsString = false } = {}) {
+        return parse(json, null, x => {
+            if (isNumber(x) && isSafeNumber(x)) {
+                return Number(x);
+            }
+
+            if (isNumber(x) && !isSafeNumber(x) && !unsafeNumberAsString) {
+                return Number(x);
+            }
+
+            return x;
+        });
+    }
+});
diff --git a/package.json b/package.json
@@ -63,6 +63,7 @@
   },
   "dependencies": {
     "google-protobuf": "3.21.2",
+    "lossless-json": "2.0.1",
     "parsimmon": "1.18.1"
   },
   "engines": {
diff --git a/test/functional/default/document-store/collection-as-table.js b/test/functional/default/document-store/collection-as-table.js
@@ -90,4 +90,24 @@ describe('finding documents in collections using CRUD with a table API', () => {
                 });
         });
     });
+
+    context('BUG#34728259', () => {
+        const id = '1';
+        const signedBigInt = '-9223372036854775808';
+        const unsignedBigInt = '18446744073709551615';
+
+        beforeEach('populate collection', () => {
+            return session.sql(`INSERT INTO \`${schema.getName()}\`.\`${collection.getName()}\` (doc) VALUES ('{ "_id": "${id}", "signedBigInt": ${signedBigInt}, "unsignedBigInt": ${unsignedBigInt} }')`)
+                .execute();
+        });
+
+        it('returns unsafe numeric field values as strings', () => {
+            return schema.getCollectionAsTable(collection.getName())
+                .select('doc')
+                .execute()
+                .then(res => {
+                    return expect(res.fetchOne()).to.deep.equal([{ _id: id, signedBigInt, unsignedBigInt }]);
+                });
+        });
+    });
 });
diff --git a/test/functional/default/document-store/collection-find.js b/test/functional/default/document-store/collection-find.js
@@ -608,6 +608,25 @@ describe('finding documents in collections using CRUD', () => {
         });
     });
 
+    context('BUG#34728259', () => {
+        const signedBigInt = '-9223372036854775808';
+        const unsignedBigInt = '18446744073709551615';
+
+        beforeEach('populate collection', () => {
+            return session.sql(`INSERT INTO \`${schema.getName()}\`.\`${collection.getName()}\` (doc) VALUES ('{ "_id": "1", "signedBigInt": ${signedBigInt}, "unsignedBigInt": ${unsignedBigInt} }')`)
+                .execute();
+        });
+
+        it('returns unsafe numeric field values as strings', () => {
+            return collection.find()
+                .fields('signedBigInt', 'unsignedBigInt')
+                .execute()
+                .then(res => {
+                    return expect(res.fetchOne()).to.deep.equal({ signedBigInt, unsignedBigInt });
+                });
+        });
+    });
+
     context('when debug mode is enabled', () => {
         beforeEach('populate collection', () => {
             return collection.add({ name: 'foo', count: 2 })
diff --git a/test/functional/default/relational-tables/misc.js b/test/functional/default/relational-tables/misc.js
@@ -560,23 +560,24 @@ describe('relational miscellaneous tests', () => {
 
         context('BUG#34016587 values encoded as DECIMAL with precision loss', () => {
             beforeEach('create table', () => {
-                // A JavaScript number does not have enough precision to encode
-                // more than 17 corresponding DECIMAL digits in MySQL.
+                // A JavaScript number does not have enough precision to safely
+                // represent a decimal value with more than 16 decimal scale
+                // digits (sometimes even less depending on which digits).
                 return session.sql(`CREATE TABLE test (
-                        decimal_1 DECIMAL(18, 1),
-                        decimal_2 DECIMAL(18, 17),
-                        decimal_3 DECIMAL(18, 17),
-                        decimal_4 DECIMAL(18, 1))`)
+                        decimal_1 DECIMAL(17, 1),
+                        decimal_2 DECIMAL(17, 16),
+                        decimal_3 DECIMAL(17, 16),
+                        decimal_4 DECIMAL(17, 1))`)
                     .execute();
             });
 
             beforeEach('add fixtures', () => {
-                return session.sql('INSERT INTO test VALUES (-99999999999999999.9, -9.99999999999999999, 9.99999999999999999, 99999999999999999.9)')
+                return session.sql('INSERT INTO test VALUES (-9999999999999999.9, -9.9999999999999999, 9.9999999999999999, 9999999999999999.9)')
                     .execute();
             });
 
             it('decodes values using a string to avoid precision loss', () => {
-                const expected = [['-99999999999999999.9', '-9.99999999999999999', '9.99999999999999999', '99999999999999999.9']];
+                const expected = [['-9999999999999999.9', '-9.9999999999999999', '9.9999999999999999', '9999999999999999.9']];
 
                 return schema.getTable('test').select()
                     .execute()
diff --git a/test/functional/default/sql.js b/test/functional/default/sql.js
@@ -902,13 +902,16 @@ describe('raw SQL', () => {
         });
 
         context('JSON', () => {
+            const signedBigInt = '-9223372036854775808';
+            const unsignedBigInt = '18446744073709551615';
+
             beforeEach('create table', () => {
                 return session.sql('CREATE TABLE test (value JSON)')
                     .execute();
             });
 
-            beforeEach('add fixtures', () => {
-                return session.sql('INSERT INTO test VALUES (\'{"foo":"bar"}\')')
+            beforeEach('populate column', () => {
+                return session.sql(`INSERT INTO test (value) VALUES ('{ "signedBigInt": ${signedBigInt}, "unsignedBigInt": ${unsignedBigInt} }')`)
                     .execute();
             });
 
@@ -917,6 +920,16 @@ describe('raw SQL', () => {
                     .execute()
                     .then(res => expect(res.getColumns()[0].getType()).to.equal('JSON'));
             });
+
+            context('BUG#34728259', () => {
+                it('returns unsafe numeric field values as strings', () => {
+                    return session.sql('SELECT value FROM test')
+                        .execute()
+                        .then(res => {
+                            return expect(res.fetchOne()).to.deep.equal([{ signedBigInt, unsignedBigInt }]);
+                        });
+                });
+            });
         });
 
         context('STRING', () => {
@@ -1156,23 +1169,24 @@ describe('raw SQL', () => {
 
     context('BUG#34016587 values encoded as DECIMAL with precision loss', () => {
         beforeEach('create table', () => {
-            // A JavaScript number does not have enough precision to encode
-            // more than 17 corresponding DECIMAL digits in MySQL.
+            // A JavaScript number does not have enough precision to safely
+            // represent a decimal value with more than 16 decimal scale
+            // digits (sometimes even less depending on which digits).
             return session.sql(`CREATE TABLE test (
-                    decimal_1 DECIMAL(18, 1),
-                    decimal_2 DECIMAL(18, 17),
-                    decimal_3 DECIMAL(18, 17),
-                    decimal_4 DECIMAL(18, 1))`)
+                    decimal_1 DECIMAL(17, 1),
+                    decimal_2 DECIMAL(17, 16),
+                    decimal_3 DECIMAL(17, 16),
+                    decimal_4 DECIMAL(17, 1))`)
                 .execute();
         });
 
         beforeEach('add fixtures', () => {
-            return session.sql('INSERT INTO test VALUES (-99999999999999999.9, -9.99999999999999999, 9.99999999999999999, 99999999999999999.9)')
+            return session.sql('INSERT INTO test VALUES (-9999999999999999.9, -9.9999999999999999, 9.9999999999999999, 9999999999999999.9)')
                 .execute();
         });
 
         it('decodes values using a string to avoid precision loss', () => {
-            const expected = [['-99999999999999999.9', '-9.99999999999999999', '9.99999999999999999', '99999999999999999.9']];
+            const expected = [['-9999999999999999.9', '-9.9999999999999999', '9.9999999999999999', '9999999999999999.9']];
 
             return session.sql('select * from test')
                 .execute()
diff --git a/test/unit/json.js b/test/unit/json.js
@@ -0,0 +1,54 @@
+/*
+ * Copyright (c) 2022, Oracle and/or its affiliates.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License, version 2.0, as
+ * published by the Free Software Foundation.
+ *
+ * This program is also distributed with certain software (including
+ * but not limited to OpenSSL) that is licensed under separate terms,
+ * as designated in a particular file or component or in included license
+ * documentation.  The authors of MySQL hereby grant you an
+ * additional permission to link the program and your derivative works
+ * with the separately licensed software that they have included with
+ * MySQL.
+ *
+ * Without limiting anything contained in the foregoing, this file,
+ * which is part of MySQL Connector/Node.js, is also subject to the
+ * Universal FOSS Exception, version 1.0, a copy of which can be found at
+ * http://oss.oracle.com/licenses/universal-foss-exception.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the GNU General Public License, version 2.0, for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
+ */
+
+'use strict';
+
+/* eslint-env node, mocha */
+
+const expect = require('chai').expect;
+const MyJSON = require('../../lib/json');
+
+describe('JSON', () => {
+    const signedBigInt = '-9223372036854775808';
+    const unsignedBigInt = '18446744073709551615';
+    const unsafeDecimal = '9.9999999999999999';
+    const json = `{ "a": "foo", "b": true, "c": false, "d": null, "e": 1234, "f": 1.234, "g": ${signedBigInt}, "h": ${unsignedBigInt}, "i": ${unsafeDecimal} }`;
+
+    context('parse()', () => {
+        it('returns the same output as the native JSON.parse() when the "unsafeNumberAsString" option is not enabled (default)', () => {
+            expect(MyJSON(json).parse()).to.deep.equal(JSON.parse(json));
+        });
+
+        it('returns unsafe values as strings when the "unsafeNumberAsString" option is enabled', () => {
+            const expected = { a: 'foo', b: true, c: false, d: null, e: 1234, f: 1.234, g: signedBigInt, h: unsignedBigInt, i: unsafeDecimal };
+            expect(MyJSON(json).parse({ unsafeNumberAsString: true })).to.deep.equal(expected);
+        });
+    });
+});

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@`
`30`	`30`
`31`	`31`	`'use strict';`
`32`	`32`
	`33`	`+const JSON = require('../../../../json');`
`33`	`34`	`const ResultsetStub = require('../../../Stubs/mysqlx_resultset_pb');`
`34`	`35`	`const ServerMessagesStub = require('../../../Stubs/mysqlx_pb').ServerMessages;`
`35`	`36`	`const bytes = require('../../ScalarValues/bytes');`
`@@ -171,7 +172,7 @@ function decodeOpaqueByteString (decoder, options) {`
`171`	`172`	`return data;`
`172`	`173`	`}`
`173`	`174`
`174`		`- return JSON.parse(data);`
	`175`	`+ return JSON(data).parse({ unsafeNumberAsString: true });`
`175`	`176`	`}`
`176`	`177`
`177`	`178`	`/**`