diff options
author | Johannes Rudolph <johannes.rudolph@gmail.com> | 2018-10-30 16:50:23 +0100 |
---|---|---|
committer | Johannes Rudolph <johannes.rudolph@gmail.com> | 2018-11-07 15:27:18 +0100 |
commit | a8c45e7abb575705e5538c00d1113688197e1849 (patch) | |
tree | 42dbd2c37a172f9534b33a04fbef589dfa5ea886 /src/main/scala/spray/json/JsonParser.scala | |
parent | d56d7f42134ffdc3266188c4a459780b699d8056 (diff) | |
download | spray-json-a8c45e7abb575705e5538c00d1113688197e1849.tar.gz spray-json-a8c45e7abb575705e5538c00d1113688197e1849.tar.bz2 spray-json-a8c45e7abb575705e5538c00d1113688197e1849.zip |
CVE-2018-18853 Limit the number of characters for numbers in the parser, fixes #278
BigInteger/BigDecimal seems to have approx. quadratic runtime for instantiating big numbers
from Strings. Lacking a better solution we introduce a character limit for
numbers. According to the benchmarks from #278, at 100 digits the constant/linear
parts still predominate over the quadratic slowdowns seen with 10000+ digits.
Diffstat (limited to 'src/main/scala/spray/json/JsonParser.scala')
-rw-r--r-- | src/main/scala/spray/json/JsonParser.scala | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/src/main/scala/spray/json/JsonParser.scala b/src/main/scala/spray/json/JsonParser.scala index 4a723b5..3efdac8 100644 --- a/src/main/scala/spray/json/JsonParser.scala +++ b/src/main/scala/spray/json/JsonParser.scala @@ -135,9 +135,19 @@ class JsonParser(input: ParserInput, settings: JsonParserSettings = JsonParserSe `int`() `frac`() `exp`() + val numberLength = input.cursor - start + jsValue = if (startChar == '0' && input.cursor - start == 1) JsNumber.zero - else JsNumber(input.sliceCharArray(start, input.cursor)) + else if (numberLength <= settings.maxNumberCharacters) JsNumber(input.sliceCharArray(start, input.cursor)) + else { + val numberSnippet = new String(input.sliceCharArray(start, math.min(input.cursor, start + 20))) + throw new ParsingException("Number too long", + s"The number starting with '$numberSnippet' had " + + s"$numberLength characters which is more than the allowed limit maxNumberCharacters = ${settings.maxNumberCharacters}. If this is legit input " + + s"consider increasing the limit." + ) + } ws() } |