circe v0.11.1 Release Notes
Release Date: 2019-01-15 // over 5 years ago-
๐ This release includes a few changes (#1057 and #1056) designed to allow users to avoid denial-of-service attacks when decoding very large JSON numbers (see this issue, reported by Andriy Plokhotnyuk).
The first of these changes (#1056) allows
Double
decoding to avoid construction of aBiggerDecimal
value, which means that decoding a JSON number with a million digits intoDouble
no longer takes several seconds:scala\> val badNumber = "9" \* 1000000badNumber: String = 999... scala\> io.circe.jawn.decode[Double](badNumber) res0: Either[io.circe.Error,Double] = Right(Infinity)
It's still possible to run into situations where decoding numbers like this can take a long time, though. For example, the following takes about nine seconds on my machine:
scala\> io.circe.jawn.decode[BigDecimal](badNumber) res1: Either[io.circe.Error,BigDecimal] = Right(999...)
๐ If you are concerned about cases like this, you can force decoding to fail on any inputs with JSON numbers or strings that exceed a certain number of characters, by instantiating a parser with the new
JawnParser.apply
method:scala\> import io.circe.jawn.JawnParserimport io.circe.jawn.JawnParserscala\> val parser = JawnParser(maxValueSize = 100000) parser: io.circe.jawn.JawnParser = io.circe.jawn.JawnParser@202b5d24 scala\> parser.decode[BigDecimal](badNumber) res2: Either[io.circe.Error,BigDecimal] = Left(io.circe.ParsingFailure: JSON number length (1000000) exceeds limit (100000))
0๏ธโฃ The behavior of the default
io.circe.jawn
parser remains unchanged, and does not limit the length of numbers or strings.๐ This release also bumps the Jawn version (for circe-jawn and circe-literal) from 0.14.0 to 0.14.1, which fixes some parsing error messages.
๐ These changes are verified by MiMa to be binary compatible with 0.11.0, and I'm 99.9% confident they are source compatible (the only chance would be if you're doing something extremely weird with
io.circe.jawn.JawnSupportParser
, and even then I think we're safe).