Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JsonStringInput: accept decimal format for integer types #272

Merged
merged 7 commits into from
Jun 23, 2020
Merged

JsonStringInput: accept decimal format for integer types #272

merged 7 commits into from
Jun 23, 2020

Conversation

ghik
Copy link
Contributor

@ghik ghik commented Jun 19, 2020

No description provided.

@ghik ghik requested a review from ddworak June 19, 2020 08:09
ddworak
ddworak reviewed Jun 22, 2020
View reviewed changes
Copy link
Member

@ddworak ddworak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, please improve the test coverage for corner cases though, as they're now easier to be made inconsistent on further refactoring

commons-core/src/main/scala/com/avsystem/commons/serialization/json/JsonStringInput.scala Show resolved Hide resolved
commons-core/src/main/scala/com/avsystem/commons/serialization/json/JsonStringInput.scala Show resolved Hide resolved
commons-core/src/main/scala/com/avsystem/commons/serialization/json/JsonStringInput.scala Show resolved Hide resolved
commons-core/src/main/scala/com/avsystem/commons/serialization/json/JsonStringInput.scala Show resolved Hide resolved
plokhotnyuk
plokhotnyuk reviewed Jun 22, 2020
View reviewed changes
commons-core/src/main/scala/com/avsystem/commons/serialization/json/JsonStringInput.scala
def readLong(): Long = parseNumber { str =>
if (isInteger(str)) str.toLong
else {
val bd = BigDecimal(str, options.mathContext)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using BigDecimal for parsing of Long values opens ability for DoS/DoW attacks which exploit O(n^2) complexity of Java's way to parse big numbers from textual representations.

I've raised an issue for BigInt and BigDecimal types but now it goes to more widely used types.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@plokhotnyuk do you have a safe BigInt/BigDecimal parsing implementation that we could lend?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here is the code which has O(n^1.5) complexity and checks limits for the scale and number of digits. I've used the following default values for them.

ddworak
ddworak approved these changes Jun 23, 2020
View reviewed changes
Copy link
Member

@ddworak ddworak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Current part with tests LGTM. Feel free to continue the BigDecimal case here if you wish with @plokhotnyuk.

@ghik ghik merged commit 6bd97c8 into 1.x Jun 23, 2020
@ghik
Copy link
Contributor Author

ghik commented Jun 23, 2020

BigDecimal parsing problem will be addressed separately.

@ghik ghik deleted the parse-decimal-integers branch June 23, 2020 11:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@plokhotnyuk plokhotnyuk plokhotnyuk left review comments

@ddworak ddworak ddworak approved these changes

Assignees

@ddworak ddworak

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ghik @plokhotnyuk @ddworak