[jira] [Commented] (CASSANDRA-14925) DecimalSerializer.toString() can be used as OOM attack

Wed, 16 Dec 2020 06:52:19 -0800 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-14925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17250365#comment-17250365
 ] 

Zhao Yang commented on CASSANDRA-14925:
---------------------------------------

I have rebased..

|patch|circle-ci|
|[3.0|https://github.com/jasonstack/cassandra/commits/decimal-tostring-3.0]|[unit|https://app.circleci.com/pipelines/github/jasonstack/cassandra/333/workflows/20f0ed3f-d268-47e9-a2a3-32172e7c3020|
|[3.11|https://github.com/jasonstack/cassandra/commits/decimal-tostring-3.11]|[unit|https://app.circleci.com/pipelines/github/jasonstack/cassandra/332/workflows/fedfa689-1e65-428e-9054-455d680f8b0e]|
|[trunk|https://github.com/jasonstack/cassandra/commits/decimal-tostring-trunk]|[unit|https://app.circleci.com/pipelines/github/jasonstack/cassandra/331/workflows/9cf60699-7b95-4eb3-8a09-aba953ff6894]|


> DecimalSerializer.toString() can be used as OOM attack 
> -------------------------------------------------------
>
>                 Key: CASSANDRA-14925
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-14925
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Legacy/Core
>            Reporter: Zhao Yang
>            Assignee: Zhao Yang
>            Priority: Urgent
>
> Currently, in {{DecimalSerializer.toString(value)}}, it uses 
> {{BigDecimal.toPlainString()}} which generates huge string for large scale 
> values.
>  
> {code:java}
> BigDecimal d = new BigDecimal("1e-" + (Integer.MAX_VALUE - 6));
> d.toPlainString(); // oom{code}
>  
> Propose to use {{BigDecimal.toString()}} when scale is larger than 100 which 
> is configurable via {{-Dcassandra.decimal.maxscaleforstring}}
>  
> | patch | circle-ci |
> |[trunk|https://github.com/jasonstack/cassandra/commits/decimal-tostring-trunk]|[unit|https://circleci.com/gh/jasonstack/cassandra/751?utm_campaign=vcs-integration-link&utm_medium=referral&utm_source=github-build-link]|
> The code should apply cleanly to 3.0+.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to