Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Timestamp#forMillis(BigDecimal, Integer) susceptible to DoS #159

Closed
raganhan opened this issue Oct 3, 2018 · 0 comments
Closed

Timestamp#forMillis(BigDecimal, Integer) susceptible to DoS #159

raganhan opened this issue Oct 3, 2018 · 0 comments
Assignees
@raganhan

Comments

@raganhan
Copy link
Contributor

raganhan commented Oct 3, 2018

calling longValue() on large exponent BigDecimals, e.g. 1e100000000 and 1e-100000000, is very expensive, each took ~2 minutes on my machine.

A solution is to check bounds and removing the fractional component before calling longValue()

Affected code:
https://github.com/amzn/ion-java/blob/master/src/software/amazon/ion/Timestamp.java#L689-L707

private Timestamp(BigDecimal millis, Integer localOffset)
    {
        if (millis == null) throw new NullPointerException("millis is null");

        long ms = millis.longValue();
        set_fields_from_millis(ms);

        this._precision = Precision.SECOND;
        int scale = millis.scale();
        if (scale <= -3) {
            this._fraction = null;
        }
        else {
            BigDecimal secs = millis.movePointLeft(3);
            BigDecimal secsDown = secs.setScale(0, RoundingMode.FLOOR);
            this._fraction = secs.subtract(secsDown);
        }
        this._offset = localOffset;
    }

That's the only occurrence of BigDecimal#longValue I found in ion-java

Jackson is dealing with a similar issue: FasterXML/jackson-databind#2141
@raganhan raganhan self-assigned this Oct 3, 2018
raganhan added a commit that referenced this issue Oct 5, 2018
@raganhan
Bound checking BigDecimal in Timestamp to guard against DoS
c3d4828 
Operations that require inflating the BigDecimal can be expensive for
large numbers, examples:
* longValue
* intValue
* setScale

#159
@raganhan raganhan mentioned this issue Oct 5, 2018
Merged
raganhan added a commit that referenced this issue Oct 22, 2018
@raganhan
Bound checking BigDecimal in Timestamp to guard against DoS
ac67e96 
Operations that require inflating the BigDecimal can be expensive for
large numbers, examples:
* longValue
* intValue
* setScale

#159
raganhan added a commit that referenced this issue Oct 22, 2018
@raganhan
Bound checking BigDecimal in Timestamp to guard against DoS (#161)
173877e 
* Bound checking BigDecimal in Timestamp to guard against DoS

Operations that require inflating the BigDecimal can be expensive for
large exponents, examples:
* longValue
* intValue
* setScale

#159
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@raganhan raganhan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@raganhan