Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[2.6.x] Cherry pick JSON parsing #202

Merged
merged 6 commits into from
Nov 27, 2018
Merged

[2.6.x] Cherry pick JSON parsing #202

merged 6 commits into from
Nov 27, 2018

Conversation

dwijnand
Copy link
Member

These two commits are the cherry-pick of #200 and #191.

I want someone to review that the MiMa binary changes are ok for 2.6.x (because I suspect they're not).

dwijnand and others added 2 commits November 21, 2018 17:39
* Avoid parsing large big decimals

Parsing large big decimals (thing tens of hundred digits) and operating on these numbers
can be very CPU demanding. While play-json currently supports handling large numbers, it
is not practical on real-world applications and can expose them to DoS of service attacks.

This changes the way parsing happens to limit the size of such numbers based on
MathContext.DECIMAL128.

* Format details

* Fix typo

* Remove tests duplication

* Add breadcrumbs detailing where precision is defined

* Improve parsing readability

* Improve test readability
Fixes #187

Parsing large big decimals (thing tens of hundred digits) and operating on these numbers
can be very CPU demanding. While play-json currently supports handling large numbers, it
is not practical on real-world applications and can expose them to DoS of service attacks.

This changes the way parsing happens to limit the size of such numbers based on
MathContext.DECIMAL128.
@dwijnand
Copy link
Member Author

Should we be concerned about Scala 2.11 users of DefaultReads/DefaultWrites?

@dwijnand
Copy link
Member Author

Actually, no one consumes DefaultReads/Writes extending objects to call methods off of it, at most they mix it in and then import its implicits off it. So no binary risk.

@dwijnand dwijnand merged commit 50a6b6f into playframework:2.6.x Nov 27, 2018
@dwijnand dwijnand deleted the cherry-pick-json-parsing branch November 27, 2018 14:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants