smithy4s icon indicating copy to clipboard operation
smithy4s copied to clipboard
verified publisher icon disneystreaming

Additional hints for Schema.bigdecimal wanted

Open plokhotnyuk opened this issue 2 years ago • 5 comments

Would it be possible to add hints for parsing of BigDecimal values from JSON?

Currently, when deriving JsonCodec the following method is used with default values for DECIMAL128:

  def readBigDecimal(default: BigDecimal): BigDecimal =
    parseBigDecimal(isToken = true, default, bigDecimalMathContext, bigDecimalScaleLimit, bigDecimalDigitsLimit)

It would be great to add hints for math context, digit and scale limits that will allow to set other limits or unlimit parsing of BigDecimal values for the trusted input.

On the other side parsing using the unlimited string parser (that is default Java's parser used currently) is vulnerable under DoS attacks.

To mitigate that the custom codec from jsoniter-scala can be used to parse BigDecimal values from strings safely and more efficiently.

plokhotnyuk avatar Oct 07 '23 11:10 plokhotnyuk

Hints aren't the way to go on this one, but we can certainly expose configuration options at this level (and expose it downstream), and set default limits to reduce the risk.

Regarding the java parser that we use in some contexts : one of the guiding principles of smithy4s is that smithy4s-core ought to be dependency free. That's a principle I don't want to deviate from. I don't exclude the idea of having richer parsing logic there in the future, but considering the nominal case of this library (server-side anyway) uses JSON as the http-body serialisation format, let's start by allowing some customisation around BigInteger/BigDecimals, that'll greatly mitigate security risks.

Baccata avatar Oct 09 '23 08:10 Baccata

@Baccata Thanks for the understanding of security risks!

I can be wrong in my assumption about how to integrate and define configuration for mitigations.

The parsing logic could be extracted from jsoniter-scala as it was done for Timestamp parser. At least part that validates number of mantissa digits and scale should be implemented because Java's parser doesn't provide such options.

plokhotnyuk avatar Oct 09 '23 09:10 plokhotnyuk

@plokhotnyuk just to confirm, are the default values used in jsoniter-scala's readBigDecimal sensible ones with regards to security , or should we be stricter in the absence of user customisation ?

Baccata avatar Oct 09 '23 10:10 Baccata

Default parameters of jsoniter-scala's readBigDecimal are not sensible for the untrusted input because they limit parsed values to 128-bit representation of floating point numbers (DECIMAL128).

For most user cases it is enough, but for some rare cases with the trusted input we can unlimit jsoniter-scala's parser to accept values of all sizes (but the unlimiting configuration should not be turned on by default as in the Java's parser).

plokhotnyuk avatar Oct 09 '23 11:10 plokhotnyuk

Default parameters of jsoniter-scala's readBigDecimal are not sensible for the untrusted input because they limit parsed values to 128-bit representation of floating point numbers (DECIMAL128).

Do you actually mean not sensible here, or was it a typo ? (I think it was, but want to confirm)

Baccata avatar Oct 09 '23 12:10 Baccata