ZhaoYang created CASSANDRA-14925: ------------------------------------ Summary: DecimalSerializer.toString() can be used as OOM attack Key: CASSANDRA-14925 URL: https://issues.apache.org/jira/browse/CASSANDRA-14925 Project: Cassandra Issue Type: Bug Components: Core Reporter: ZhaoYang Assignee: ZhaoYang
Currently, in {{DecimalSerializer.toString(value)}}, it uses {{BigDecimal.toPlainString()}} which generates huge string for large scale values. {code:java} BigDecimal d = new BigDecimal("1e-" + (Integer.MAX_VALUE - 6)); d.toPlainString(); // oom{code} Propose to use {{BigDecimal.toString()}} when scale is larger than 100 which is configurable via {{-Dcassandra.decimal.maxscaleforstring}} | patch | circle-ci | | [3.0|https://github.com/jasonstack/cassandra/commits/decimal-tostring-3.0] | [unit|https://circleci.com/gh/jasonstack/cassandra/747?utm_campaign=vcs-integration-link&utm_medium=referral&utm_source=github-build-link] | The code should apply cleanly to 3.0+. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org