[jira] [Commented] (CASSANDRA-14925) DecimalSerializer.toString() can be used as OOM attack

[Sylvain Lebresne (JIRA)]

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-14925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16716681#comment-16716681
 ] 

Sylvain Lebresne commented on CASSANDRA-14925:
----------------------------------------------

The patch looks obviously technically ok, but there is of course the question 
of backward compatibility. I believe the most of usage of 
{{AbstractType#getString}} is for log messages, but there is a few other 
usages. {{sstabledump}} is one, though I'm not too worried about this here. 
There is a also a bunch of case where it's used for internal stuffs but "I 
think" this should be case where {{decimal}} is not used. But I have far from 
make a careful analysis of all the places where it is used, so I think we're 
fine but I'm not 100% sure.

Overall, not sure what to do about that previous comment. I do think we should 
fix this and I don't think the risk of someone running into backward 
compatibility troubles is very high here, but I wonder if we shouldn't stick to 
trunk as a compromise. Would welcome other opinions here for sure. Maybe worth 
a quick email on the mailing list to gather opinions? 



> DecimalSerializer.toString() can be used as OOM attack 
> -------------------------------------------------------
>
>                 Key: CASSANDRA-14925
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-14925
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Core
>            Reporter: ZhaoYang
>            Assignee: ZhaoYang
>            Priority: Minor
>
> Currently, in {{DecimalSerializer.toString(value)}}, it uses 
> {{BigDecimal.toPlainString()}} which generates huge string for large scale 
> values.
>  
> {code:java}
> BigDecimal d = new BigDecimal("1e-" + (Integer.MAX_VALUE - 6));
> d.toPlainString(); // oom{code}
>  
> Propose to use {{BigDecimal.toString()}} when scale is larger than 100 which 
> is configurable via {{-Dcassandra.decimal.maxscaleforstring}}
>  
> | patch | circle-ci |
> | [3.0|https://github.com/jasonstack/cassandra/commits/decimal-tostring-3.0] 
> | 
> [unit|https://circleci.com/gh/jasonstack/cassandra/747?utm_campaign=vcs-integration-link&utm_medium=referral&utm_source=github-build-link]
>  |
> The code should apply cleanly to 3.0+.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org