Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avoid parsing large big decimals #200

Merged
merged 7 commits into from
Nov 13, 2018
Merged

Avoid parsing large big decimals #200

merged 7 commits into from
Nov 13, 2018

Conversation

dwijnand
Copy link
Member

@dwijnand dwijnand commented Nov 13, 2018

Fixes

Fixes #187

Purpose

Parsing large big decimals (thing tens of hundred digits) and operating on these numbers
can be very CPU demanding. While play-json currently supports handling large numbers, it
is not practical on real-world applications and can expose them to DoS of service attacks.

This changes the way parsing happens to limit the size of such numbers based on
MathContext.DECIMAL128.

References

This is a resubmission of the initial commits of #191.

Parsing large big decimals (thing tens of hundred digits) and operating on these numbers
can be very CPU demanding. While play-json currently supports handling large numbers, it
is not practical on real-world applications and can expose them to DoS of service attacks.

This changes the way parsing happens to limit the size of such numbers based on
MathContext.DECIMAL128.
@dwijnand dwijnand changed the title ## Fixes Avoid parsing large big decimals Nov 13, 2018
@dwijnand dwijnand merged commit 0a1ccdf into playframework:master Nov 13, 2018
@dwijnand dwijnand deleted the fix-parsing-large-numbers branch November 13, 2018 11:52
dwijnand added a commit that referenced this pull request Nov 27, 2018
* Avoid parsing large big decimals (#200)

* Avoid parsing large big decimals

Parsing large big decimals (thing tens of hundred digits) and operating on these numbers
can be very CPU demanding. While play-json currently supports handling large numbers, it
is not practical on real-world applications and can expose them to DoS of service attacks.

This changes the way parsing happens to limit the size of such numbers based on
MathContext.DECIMAL128.

* Format details

* Fix typo

* Remove tests duplication

* Add breadcrumbs detailing where precision is defined

* Improve parsing readability

* Improve test readability

* Make it possible to configure the parsing for large big decimals (#191)

Fixes #187

Parsing large big decimals (thing tens of hundred digits) and operating on these numbers
can be very CPU demanding. While play-json currently supports handling large numbers, it
is not practical on real-world applications and can expose them to DoS of service attacks.

This changes the way parsing happens to limit the size of such numbers based on
MathContext.DECIMAL128.

* Fix binary compatibility issues

* Codec for BigInt (#122)

* Codec for BigInt

* MiMa

* More tests

* Add small comment about bincompat filter

* Fix Scala 2.10 compatibility issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants