Parsson: BigInteger support
Basic information
Project name: Parsson
Project id: ee4j.parsson
What are the affected versions?
Not specified
Details of the issue
I'm a contributor to Jackson. We've discovered that BigDecimal toBigInteger/toBigIntegerExact can have terrible performance when you are dealing with numbers with large exponents. An example is 1e20000000. In jackson-core, we are implementing a limit on the size of the exponent that we will allow.
https://github.com/FasterXML/jackson-core/issues/968
The issue is that users might try to parse JSON from untrusted sources and that malicious actors can exploit the fact that the built-in support for Java for parsing numbers has a number of edge cases where the input text of a number can lead to much larger processing time than you would expect.
The Jackson 2.15.0 release tries to address this and a number of other potential attack vectors with number parsing. The main defence is to apply a size limit for numbers. Very long numeric strings are the easiest exploit. Number parsing has subquadratic performance. But issue 968 highlights that sometimes even short number number strings can be used in DoS attacks.
I hope that this report makes sense. Get back to me if you need more info.
Steps to reproduce
See above
Do you know any mitigations of the issue?
(Like disabling a configuration option, for example)