potential security issue with big ints
caseykneale opened this issue · comments
Casey Kneale commented
Micheal Griffiths found a tweet about a bug in pythons handling of JSON, which can lead to DOS of python web APIs.
Michael Griffiths(opens in new tab) 4:28 PM
This is a fun one: https://twitter.com/vadimlearning/status/1257743849834897408Seems to work fine in JavaScript (just returns infinity once it overflows, which happens well before that); though it appears to be hanging JSON3.jl for me.
they tried the following in julia and reported that it hangs.
using JSON3
big_number = join(rand(1:9, 100000000), "");
hangs = JSON3.read("{\"number\": $(big_number)}")
Could be an issue.
Jacob Quinn commented
Ok, ultimate fix is here: JuliaData/Parsers.jl#52. I'm going to push a quick update to JSON3 as well, which will just throw a more informative error. After doing a bunch of research on what most json libraries do out there, it seems like we have the following:
- most json libraries treat all numbers as doubles, so they only allow up to 53 bits of precision and this was even suggested in a json spec amendment, but still isn't a definitive range
- In Parsers.jl, we were valiantly trying to parse these arbitrary precision numbers, even though there are reasonable maximums on # of digits for IEEE floats (i.e. 1079 for Float64); the fix I mentioned above will now bail early and the informative error will be thrown in JSON3
- We do still have the option in JSON3 to read arbitrary precision numbers, you just have to use the struct-API, like
struct BigNumber
number::BigFloat
end
StructTypes.StructType(::Type{BigNumber}) = StructTypes.Struct()
But in the default JSON3.read(json)
, you'll get the error.
Thanks for the report on this and I'm glad we can have good reasonable behavior here.