You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is a followup for #90
I've just read about CVE-2018-1000873 and found more issues like these that result in a possible DoS where used within a service.
To make it more plastic, I've decided to create a table for this (feel free to split up the ticket to jackson-core too - I didn't want to create tickets in several projects at once):
🆗 = not affected (those with * may be affected when using USE_BIG_DECIMAL_FOR_FLOATS or USE_BIG_INTEGER_FOR_INTS as deserialization feature)
#XXX = fixed via the given ticket
❌ = still vulnerable
Those columns that have two values are using different code path for native numbers (first value) or numbers that are handed over as string (second value).
So as you can see, there are still several possible attack vectors.
I'm aware that you most probably don't want to change those for Number, BigInteger and BigDecimal as this may result in reduced precision. But you need to make clear for developers at some place, that using these types may result in a possible degradation of service.
What I'm worried most about are those open issues for Instant (and those using the same deserializer) and Duration. I think those need to get fixed sooner than later.
(I don't guarantee that this list is complete nor that it is correct, as most of the value were written down after reading the code - only some of them have been checked.)
The text was updated successfully, but these errors were encountered:
Thank you for listing potential vulnerabilities. I am not really sure what to do here, to be honest.
But maybe someone has concrete suggestions. I do think that actual work will need to be split, and in most cases would end up either in jackson-databind (for Number deserialization, if any), or this module for Instant, Duration.
Jsoniter-scala when parsingBigDecimal checks two configurable limits which have safe defaults: 1st one is for the number of significant digits and a 2nd one for the scale.
This is a followup for #90
I've just read about CVE-2018-1000873 and found more issues like these that result in a possible DoS where used within a service.
To make it more plastic, I've decided to create a table for this (feel free to split up the ticket to
jackson-core
too - I didn't want to create tickets in several projects at once):🆗 = not affected (those with * may be affected when using
USE_BIG_DECIMAL_FOR_FLOATS
orUSE_BIG_INTEGER_FOR_INTS
as deserialization feature)#XXX = fixed via the given ticket
❌ = still vulnerable
Those columns that have two values are using different code path for native numbers (first value) or numbers that are handed over as string (second value).
So as you can see, there are still several possible attack vectors.
I'm aware that you most probably don't want to change those for Number, BigInteger and BigDecimal as this may result in reduced precision. But you need to make clear for developers at some place, that using these types may result in a possible degradation of service.
What I'm worried most about are those open issues for Instant (and those using the same deserializer) and Duration. I think those need to get fixed sooner than later.
(I don't guarantee that this list is complete nor that it is correct, as most of the value were written down after reading the code - only some of them have been checked.)
The text was updated successfully, but these errors were encountered: