Micheal Griffiths found a tweet about a bug in pythons handling of JSON, which can lead to DOS of python web APIs.

Michael Griffiths(opens in new tab)  4:28 PM
This is a fun one: https://twitter.com/vadimlearning/status/1257743849834897408Seems to work fine in JavaScript (just returns infinity once it overflows, which happens well before that); though it appears to be hanging JSON3.jl for me.

they tried the following in julia and reported that it hangs.

using JSON3
big_number = join(rand(1:9, 100000000), "");
hangs = JSON3.read("{\"number\": $(big_number)}")

Could be an issue.

Ok, ultimate fix is here: JuliaData/Parsers.jl#52. I'm going to push a quick update to JSON3 as well, which will just throw a more informative error. After doing a bunch of research on what most json libraries do out there, it seems like we have the following:

• most json libraries treat all numbers as doubles, so they only allow up to 53 bits of precision and this was even suggested in a json spec amendment, but still isn't a definitive range
• In Parsers.jl, we were valiantly trying to parse these arbitrary precision numbers, even though there are reasonable maximums on # of digits for IEEE floats (i.e. 1079 for Float64); the fix I mentioned above will now bail early and the informative error will be thrown in JSON3
• We do still have the option in JSON3 to read arbitrary precision numbers, you just have to use the struct-API, like

struct BigNumber
    number::BigFloat
end
StructTypes.StructType(::Type{BigNumber}) = StructTypes.Struct()

But in the default JSON3.read(json), you'll get the error.

Thanks for the report on this and I'm glad we can have good reasonable behavior here.