Add limits when deserializing BigDecimal and BigInteger

gson/src/main/java/com/google/gson/JsonPrimitive.java

@@ -17,6 +17,7 @@
 package com.google.gson;
 
 import com.google.gson.internal.LazilyParsedNumber;
+import com.google.gson.internal.NumberLimits;
 import java.math.BigDecimal;
 import java.math.BigInteger;
 import java.util.Objects;
@@ -172,7 +173,7 @@ public double getAsDouble() {
  */
  @Override
  public BigDecimal getAsBigDecimal() {
- return value instanceof BigDecimal ? (BigDecimal) value : new BigDecimal(getAsString());
+ return value instanceof BigDecimal ? (BigDecimal) value : NumberLimits.parseBigDecimal(getAsString());
  }
 
  /**
@@ -184,7 +185,7 @@ public BigInteger getAsBigInteger() {
  ? (BigInteger) value
  : isIntegral(this)
  ? BigInteger.valueOf(this.getAsNumber().longValue())
- : new BigInteger(this.getAsString());
+ : NumberLimits.parseBigInteger(this.getAsString());
  }
 
  /**

gson/src/main/java/com/google/gson/ToNumberPolicy.java

@@ -17,6 +17,7 @@
 package com.google.gson;
 
 import com.google.gson.internal.LazilyParsedNumber;
+import com.google.gson.internal.NumberLimits;
 import com.google.gson.stream.JsonReader;
 import com.google.gson.stream.MalformedJsonException;
 import java.io.IOException;
@@ -89,7 +90,7 @@ public enum ToNumberPolicy implements ToNumberStrategy {
  @Override public BigDecimal readNumber(JsonReader in) throws IOException {
  String value = in.nextString();
  try {
- return new BigDecimal(value);
+ return NumberLimits.parseBigDecimal(value);
  } catch (NumberFormatException e) {
  throw new JsonParseException("Cannot parse " + value + "; at path " + in.getPreviousPath(), e);
  }

gson/src/main/java/com/google/gson/internal/LazilyParsedNumber.java

@@ -35,6 +35,10 @@ public LazilyParsedNumber(String value) {
  this.value = value;
  }
 
+ private BigDecimal asBigDecimal() {
+ return NumberLimits.parseBigDecimal(value);
+ }
+
  @Override
  public int intValue() {
  try {
@@ -43,7 +47,7 @@ public int intValue() {
  try {
  return (int) Long.parseLong(value);
  } catch (NumberFormatException nfe) {
- return new BigDecimal(value).intValue();
+ return asBigDecimal().intValue();
  }
  }
  }
@@ -53,7 +57,7 @@ public long longValue() {
  try {
  return Long.parseLong(value);
  } catch (NumberFormatException e) {
- return new BigDecimal(value).longValue();
+ return asBigDecimal().longValue();
  }
  }
 
@@ -78,7 +82,7 @@ public String toString() {
  * deserialize it.
  */
  private Object writeReplace() throws ObjectStreamException {
- return new BigDecimal(value);
+ return asBigDecimal();
  }
 
  private void readObject(ObjectInputStream in) throws IOException {

gson/src/main/java/com/google/gson/internal/NumberLimits.java

@@ -0,0 +1,37 @@
+package com.google.gson.internal;
+
+import java.math.BigDecimal;
+import java.math.BigInteger;
+
+/**
+ * This class enforces limits on numbers parsed from JSON to avoid potential performance
+ * problems when extremely large numbers are used.
+ */
+public class NumberLimits {
+ private NumberLimits() {
+ }
+
+ private static final int MAX_NUMBER_STRING_LENGTH = 10_000;
+
+ private static void checkNumberStringLength(String s) {
+ if (s.length() > MAX_NUMBER_STRING_LENGTH) {
+ throw new NumberFormatException("Number string too large: " + s.substring(0, 30) + "...");
+ }
+ }
+
+ public static BigDecimal parseBigDecimal(String s) throws NumberFormatException {
+ checkNumberStringLength(s);
+ BigDecimal decimal = new BigDecimal(s);
+
+ // Cast to long to avoid issues with abs when value is Integer.MIN_VALUE
+ if (Math.abs((long) decimal.scale()) >= 10_000) {
+ throw new NumberFormatException("Number has unsupported scale: " + s);
+ }
+ return decimal;
+ }
+
+ public static BigInteger parseBigInteger(String s) throws NumberFormatException {
+ checkNumberStringLength(s);
+ return new BigInteger(s);
+ }
+}

gson/src/main/java/com/google/gson/internal/bind/TypeAdapters.java

@@ -28,6 +28,7 @@
 import com.google.gson.TypeAdapterFactory;
 import com.google.gson.annotations.SerializedName;
 import com.google.gson.internal.LazilyParsedNumber;
+import com.google.gson.internal.NumberLimits;
 import com.google.gson.internal.TroubleshootingGuide;
 import com.google.gson.reflect.TypeToken;
 import com.google.gson.stream.JsonReader;
@@ -437,7 +438,7 @@ public void write(JsonWriter out, String value) throws IOException {
  }
  String s = in.nextString();
  try {
- return new BigDecimal(s);
+ return NumberLimits.parseBigDecimal(s);
  } catch (NumberFormatException e) {
  throw new JsonSyntaxException("Failed parsing '" + s + "' as BigDecimal; at path " + in.getPreviousPath(), e);
  }
@@ -456,7 +457,7 @@ public void write(JsonWriter out, String value) throws IOException {
  }
  String s = in.nextString();
  try {
- return new BigInteger(s);
+ return NumberLimits.parseBigInteger(s);
  } catch (NumberFormatException e) {
  throw new JsonSyntaxException("Failed parsing '" + s + "' as BigInteger; at path " + in.getPreviousPath(), e);
  }

gson/src/test/java/com/google/gson/functional/NumberLimitsTest.java

@@ -0,0 +1,185 @@
+package com.google.gson.functional;
+
+import static com.google.common.truth.Truth.assertThat;
+import static org.junit.Assert.assertThrows;
+
+import com.google.gson.Gson;
+import com.google.gson.JsonParseException;
+import com.google.gson.JsonPrimitive;
+import com.google.gson.JsonSyntaxException;
+import com.google.gson.ToNumberPolicy;
+import com.google.gson.ToNumberStrategy;
+import com.google.gson.TypeAdapter;
+import com.google.gson.internal.LazilyParsedNumber;
+import com.google.gson.stream.JsonReader;
+import com.google.gson.stream.JsonToken;
+import com.google.gson.stream.MalformedJsonException;
+import java.io.IOException;
+import java.io.ObjectOutputStream;
+import java.io.OutputStream;
+import java.io.StringReader;
+import java.math.BigDecimal;
+import java.math.BigInteger;
+import org.junit.Test;
+
+public class NumberLimitsTest {
+ private static final int MAX_LENGTH = 10_000;
+
+ private static JsonReader jsonReader(String json) {
+ return new JsonReader(new StringReader(json));
+ }
+
+ /**
+ * Tests how {@link JsonReader} behaves for large numbers.
+ *
+ * <p>Currently {@link JsonReader} itself does not enforce any limits.
+ * The reasons for this are:
+ * <ul>
+ * <li>Methods such as {@link JsonReader#nextDouble()} seem to have no problem
+ * parsing extremely large or small numbers (it rounds to 0 or Infinity)
+ * (to be verified?; if it had performance problems with certain numbers, then
+ * it would affect other parts of Gson which parse as float or double as well)
+ * <li>Enforcing limits only when a JSON number is encountered would be ineffective
+ * unless users explicitly call {@link JsonReader#peek()} and check if the value
+ * is a JSON number. Otherwise the limits could be circumvented because
+ * {@link JsonReader#nextString()} reads both strings and numbers, and for
+ * JSON strings no restrictions are enforced.
+ * </ul>
+ */
+ @Test
+ public void testJsonReader() throws IOException {
+ JsonReader reader = jsonReader("1".repeat(1000));
+ assertThat(reader.peek()).isEqualTo(JsonToken.NUMBER);
+ assertThat(reader.nextString()).isEqualTo("1".repeat(1000));
+
+ JsonReader reader2 = jsonReader("1".repeat(MAX_LENGTH + 1));
+ // Currently JsonReader does not recognize large JSON numbers as numbers but treats them
+ // as unquoted string
+ MalformedJsonException e = assertThrows(MalformedJsonException.class, () -> reader2.peek());
+ assertThat(e).hasMessageThat().startsWith("Use JsonReader.setStrictness(Strictness.LENIENT) to accept malformed JSON");
+
+ reader = jsonReader("1e9999");
+ assertThat(reader.peek()).isEqualTo(JsonToken.NUMBER);
+ assertThat(reader.nextString()).isEqualTo("1e9999");
+
+ reader = jsonReader("1e+9999");
+ assertThat(reader.peek()).isEqualTo(JsonToken.NUMBER);
+ assertThat(reader.nextString()).isEqualTo("1e+9999");
+
+ reader = jsonReader("1e10000");
+ assertThat(reader.peek()).isEqualTo(JsonToken.NUMBER);
+ assertThat(reader.nextString()).isEqualTo("1e10000");
+
+ reader = jsonReader("1e00001");
+ assertThat(reader.peek()).isEqualTo(JsonToken.NUMBER);
+ assertThat(reader.nextString()).isEqualTo("1e00001");
+ }
+
+ @Test
+ public void testJsonPrimitive() {
+ assertThat(new JsonPrimitive("1".repeat(MAX_LENGTH)).getAsBigDecimal())
+ .isEqualTo(new BigDecimal("1".repeat(MAX_LENGTH)));
+ assertThat(new JsonPrimitive("1e9999").getAsBigDecimal())
+ .isEqualTo(new BigDecimal("1e9999"));
+ assertThat(new JsonPrimitive("1e-9999").getAsBigDecimal())
+ .isEqualTo(new BigDecimal("1e-9999"));
+
+ NumberFormatException e = assertThrows(NumberFormatException.class,
+ () -> new JsonPrimitive("1".repeat(MAX_LENGTH + 1)).getAsBigDecimal());
+ assertThat(e).hasMessageThat().isEqualTo("Number string too large: 111111111111111111111111111111...");
+
+ e = assertThrows(NumberFormatException.class,
+ () -> new JsonPrimitive("1e10000").getAsBigDecimal());
+ assertThat(e).hasMessageThat().isEqualTo("Number has unsupported scale: 1e10000");
+
+ e = assertThrows(NumberFormatException.class,
+ () -> new JsonPrimitive("1e-10000").getAsBigDecimal());
+ assertThat(e).hasMessageThat().isEqualTo("Number has unsupported scale: 1e-10000");
+
+
+ assertThat(new JsonPrimitive("1".repeat(MAX_LENGTH)).getAsBigInteger())
+ .isEqualTo(new BigInteger("1".repeat(MAX_LENGTH)));
+
+ e = assertThrows(NumberFormatException.class,
+ () -> new JsonPrimitive("1".repeat(MAX_LENGTH + 1)).getAsBigInteger());
+ assertThat(e).hasMessageThat().isEqualTo("Number string too large: 111111111111111111111111111111...");
+ }
+
+ @Test
+ public void testToNumberPolicy() throws IOException {
+ ToNumberStrategy strategy = ToNumberPolicy.BIG_DECIMAL;
+
+ assertThat(strategy.readNumber(jsonReader("\"" + "1".repeat(MAX_LENGTH) + "\"")))
+ .isEqualTo(new BigDecimal("1".repeat(MAX_LENGTH)));
+ assertThat(strategy.readNumber(jsonReader("1e9999")))
+ .isEqualTo(new BigDecimal("1e9999"));
+
+
+ JsonParseException e = assertThrows(JsonParseException.class,
+ () -> strategy.readNumber(jsonReader("\"" + "1".repeat(MAX_LENGTH + 1) + "\"")));
+ assertThat(e).hasMessageThat().isEqualTo("Cannot parse " + "1".repeat(MAX_LENGTH + 1) + "; at path $");
+ assertThat(e).hasCauseThat().hasMessageThat().isEqualTo("Number string too large: 111111111111111111111111111111...");
+
+ e = assertThrows(JsonParseException.class, () -> strategy.readNumber(jsonReader("\"1e10000\"")));
+ assertThat(e).hasMessageThat().isEqualTo("Cannot parse 1e10000; at path $");
+ assertThat(e).hasCauseThat().hasMessageThat().isEqualTo("Number has unsupported scale: 1e10000");
+ }
+
+ @Test
+ public void testLazilyParsedNumber() throws IOException {
+ assertThat(new LazilyParsedNumber("1".repeat(MAX_LENGTH)).intValue())
+ .isEqualTo(new BigDecimal("1".repeat(MAX_LENGTH)).intValue());
+ assertThat(new LazilyParsedNumber("1e9999").intValue())
+ .isEqualTo(new BigDecimal("1e9999").intValue());
+
+ NumberFormatException e = assertThrows(NumberFormatException.class,
+ () -> new LazilyParsedNumber("1".repeat(MAX_LENGTH + 1)).intValue());
+ assertThat(e).hasMessageThat().isEqualTo("Number string too large: 111111111111111111111111111111...");
+
+ e = assertThrows(NumberFormatException.class,
+ () -> new LazilyParsedNumber("1e10000").intValue());
+ assertThat(e).hasMessageThat().isEqualTo("Number has unsupported scale: 1e10000");
+
+ e = assertThrows(NumberFormatException.class,
+ () -> new LazilyParsedNumber("1e10000").longValue());
+ assertThat(e).hasMessageThat().isEqualTo("Number has unsupported scale: 1e10000");
+
+ ObjectOutputStream objOut = new ObjectOutputStream(OutputStream.nullOutputStream());
+ // Number is serialized as BigDecimal; should also enforce limits during this conversion
+ e = assertThrows(NumberFormatException.class, () -> objOut.writeObject(new LazilyParsedNumber("1e10000")));
+ assertThat(e).hasMessageThat().isEqualTo("Number has unsupported scale: 1e10000");
+ }
+
+ @Test
+ public void testBigDecimalAdapter() throws IOException {
+ TypeAdapter<BigDecimal> adapter = new Gson().getAdapter(BigDecimal.class);
+
+ assertThat(adapter.fromJson("\"" + "1".repeat(MAX_LENGTH) + "\""))
+ .isEqualTo(new BigDecimal("1".repeat(MAX_LENGTH)));
+ assertThat(adapter.fromJson("\"1e9999\""))
+ .isEqualTo(new BigDecimal("1e9999"));
+
+ JsonSyntaxException e = assertThrows(JsonSyntaxException.class,
+ () -> adapter.fromJson("\"" + "1".repeat(MAX_LENGTH + 1) + "\""));
+ assertThat(e).hasMessageThat().isEqualTo("Failed parsing '" + "1".repeat(MAX_LENGTH + 1) + "' as BigDecimal; at path $");
+ assertThat(e).hasCauseThat().hasMessageThat().isEqualTo("Number string too large: 111111111111111111111111111111...");
+
+ e = assertThrows(JsonSyntaxException.class,
+ () -> adapter.fromJson("\"1e10000\""));
+ assertThat(e).hasMessageThat().isEqualTo("Failed parsing '1e10000' as BigDecimal; at path $");
+ assertThat(e).hasCauseThat().hasMessageThat().isEqualTo("Number has unsupported scale: 1e10000");
+ }
+
+ @Test
+ public void testBigIntegerAdapter() throws IOException {
+ TypeAdapter<BigInteger> adapter = new Gson().getAdapter(BigInteger.class);
+
+ assertThat(adapter.fromJson("\"" + "1".repeat(MAX_LENGTH) + "\""))
+ .isEqualTo(new BigInteger("1".repeat(MAX_LENGTH)));
+
+ JsonSyntaxException e = assertThrows(JsonSyntaxException.class,
+ () -> adapter.fromJson("\"" + "1".repeat(MAX_LENGTH + 1) + "\""));
+ assertThat(e).hasMessageThat().isEqualTo("Failed parsing '" + "1".repeat(MAX_LENGTH + 1) + "' as BigInteger; at path $");
+ assertThat(e).hasCauseThat().hasMessageThat().isEqualTo("Number string too large: 111111111111111111111111111111...");
+ }
+}