Merge pull request #283 from jrudolph/limit-size-of-numbers

CVE-2018-18853 Limit the number of characters for numbers in the parser, fixes #278
author: Johannes Rudolph <johannes.rudolph@gmail.com> 2018-11-08 10:38:05 +0100
committer: GitHub <noreply@github.com> 2018-11-08 10:38:05 +0100
commit: b2f485e695f8ba2789089f20d48554bb80c77396 (patch)
tree: 42dbd2c37a172f9534b33a04fbef589dfa5ea886
parent: d56d7f42134ffdc3266188c4a459780b699d8056 (diff)
parent: a8c45e7abb575705e5538c00d1113688197e1849 (diff)
download: spray-json-b2f485e695f8ba2789089f20d48554bb80c77396.tar.gz
spray-json-b2f485e695f8ba2789089f20d48554bb80c77396.tar.bz2
spray-json-b2f485e695f8ba2789089f20d48554bb80c77396.zip
3 files changed, 35 insertions, 5 deletions
diff --git a/src/main/scala/spray/json/JsonParser.scala b/src/main/scala/spray/json/JsonParser.scala
index 4a723b5..3efdac8 100644
--- a/src/main/scala/spray/json/JsonParser.scala
+++ b/src/main/scala/spray/json/JsonParser.scala
@@ -135,9 +135,19 @@ class JsonParser(input: ParserInput, settings: JsonParserSettings = JsonParserSe
     `int`()
     `frac`()
     `exp`()
+    val numberLength = input.cursor - start
+
     jsValue =
       if (startChar == '0' && input.cursor - start == 1) JsNumber.zero
-      else JsNumber(input.sliceCharArray(start, input.cursor))
+      else if (numberLength <= settings.maxNumberCharacters) JsNumber(input.sliceCharArray(start, input.cursor))
+      else {
+        val numberSnippet = new String(input.sliceCharArray(start, math.min(input.cursor, start + 20)))
+        throw new ParsingException("Number too long",
+          s"The number starting with '$numberSnippet' had " +
+          s"$numberLength characters which is more than the allowed limit maxNumberCharacters = ${settings.maxNumberCharacters}. If this is legit input " +
+          s"consider increasing the limit."
+        )
+      }
     ws()
   }
 
diff --git a/src/main/scala/spray/json/JsonParserSettings.scala b/src/main/scala/spray/json/JsonParserSettings.scala
index d07075e..b82c47d 100644
--- a/src/main/scala/spray/json/JsonParserSettings.scala
+++ b/src/main/scala/spray/json/JsonParserSettings.scala
@@ -12,16 +12,29 @@ trait JsonParserSettings {
   def maxDepth: Int
 
   /**
-   * Return a copy of this settings object with the `maxDepth` setting changed to the new value.
+   * Returns a copy of this settings object with the `maxDepth` setting changed to the new value.
    */
   def withMaxDepth(newValue: Int): JsonParserSettings
+
+  /**
+   * The maximum number of characters the parser should support for numbers. This is restricted because creating
+   * `BigDecimal`s with high precision can be very slow (approx. quadratic runtime per amount of characters).
+   */
+  def maxNumberCharacters: Int
+
+  /**
+   * Returns a copy of this settings object with the `maxNumberCharacters` setting changed to the new value.
+   */
+  def withMaxNumberCharacters(newValue: Int): JsonParserSettings
 }
 object JsonParserSettings {
   val default: JsonParserSettings = SettingsImpl()
 
   private case class SettingsImpl(
-    maxDepth: Int = 1000
+    maxDepth: Int = 1000,
+    maxNumberCharacters: Int = 100
   ) extends JsonParserSettings {
     override def withMaxDepth(newValue: Int): JsonParserSettings = copy(maxDepth = newValue)
+    override def withMaxNumberCharacters(newValue: Int): JsonParserSettings = copy(maxNumberCharacters = newValue)
   }
 }
 \ No newline at end of file
diff --git a/src/test/scala/spray/json/JsonParserSpec.scala b/src/test/scala/spray/json/JsonParserSpec.scala
index 9b849b3..1ca0ddc 100644
--- a/src/test/scala/spray/json/JsonParserSpec.scala
+++ b/src/test/scala/spray/json/JsonParserSpec.scala
@@ -118,8 +118,8 @@ class JsonParserSpec extends Specification {
     }
 
     "produce proper error messages" in {
-      def errorMessage(input: String) =
-        try JsonParser(input) catch { case e: JsonParser.ParsingException => e.getMessage }
+      def errorMessage(input: String, settings: JsonParserSettings = JsonParserSettings.default) =
+        try JsonParser(input, settings) catch { case e: JsonParser.ParsingException => e.getMessage }
 
       errorMessage("""[null, 1.23 {"key":true } ]""") ===
         """Unexpected character '{' at input index 12 (line 1, position 13), expected ']':
@@ -144,6 +144,13 @@ class JsonParserSpec extends Specification {
           |{}x
           |  ^
           |""".stripMargin
+
+      "reject numbers which are too big / have too high precision" in {
+        val settings = JsonParserSettings.default.withMaxNumberCharacters(5)
+        errorMessage("123.4567890", settings) ===
+          "Number too long:The number starting with '123.4567890' had 11 characters which is more than the allowed limit " +
+          "maxNumberCharacters = 5. If this is legit input consider increasing the limit."
+      }
     }
 
     "fail gracefully for deeply nested structures" in {
author	Johannes Rudolph <johannes.rudolph@gmail.com>	2018-11-08 10:38:05 +0100
committer	GitHub <noreply@github.com>	2018-11-08 10:38:05 +0100
commit	b2f485e695f8ba2789089f20d48554bb80c77396 (patch)
tree	42dbd2c37a172f9534b33a04fbef589dfa5ea886
parent	d56d7f42134ffdc3266188c4a459780b699d8056 (diff)
parent	a8c45e7abb575705e5538c00d1113688197e1849 (diff)
download	spray-json-b2f485e695f8ba2789089f20d48554bb80c77396.tar.gz spray-json-b2f485e695f8ba2789089f20d48554bb80c77396.tar.bz2 spray-json-b2f485e695f8ba2789089f20d48554bb80c77396.zip