1/2. "too big" or "too small" number, maybe should throw exception, just like Integer.parseInt(......); 3.valid range of BigInteger/BigDecimal should be determined by different scenes but i'm not sure what is the "best" default configuration or just default to unlimit, it's develop team's duty to set a valid configuration for it, :)
在 2018年10月16日星期二 UTC+8下午11:08:11,Tatu Saloranta写道: > > On Tue, Oct 16, 2018 at 8:02 AM wjm wjm <zzz...@gmail.com <javascript:>> > wrote: > > > > seems that jackson have some problems when parse super number > > Gson failed at once, but jackson block long times and then failed > > because jackson parse the super number to BigInteger first and then > convert to target number type. > > > > i write a reproduce test case > > please help me to resolve the problem, thanks > > > > package test.jackson; > > > > import java.util.concurrent.Callable; > > > > import com.fasterxml.jackson.databind.ObjectMapper; > > import com.google.common.base.Strings; > > import com.google.gson.Gson; > > import com.google.gson.GsonBuilder; > > > > public class DoS { > > static String input = Strings.repeat("1", 100_0000); > > > > static Gson gson = new GsonBuilder().create(); > > > > static ObjectMapper mapper = new ObjectMapper(); > > > > public static enum Color { > > WHITE, > > BLACK > > } > > > > static void run(String name, Callable callable) { > > System.out.println(name); > > > > long start = System.currentTimeMillis(); > > try { > > Object result = callable.call(); > > System.out.println(" result:" + result); > > } catch (Throwable e) { > > //System.out.println(" failed: " + e.getMessage()); > > System.out.println(" failed"); > > } > > System.out.println(" time:" + (System.currentTimeMillis() - start) > + " ms"); > > } > > > > public static void main(String[] args) { > > run("Gson enum:", () -> gson.fromJson(input, Color.class)); > > run("Jackson enum:", () -> mapper.readValue(input, Color.class)); > > System.out.println(); > > > > // byte/Byte/short/Short/int/Integer/long/Long > > // all these types, jackson is very slow > > run("Gson int:", () -> gson.fromJson(input, int.class)); > > run("Jackson int:", () -> mapper.readValue(input, int.class)); > > System.out.println(); > > > > // float/Float/double/Double > > // all these types, jackson is very slow > > run("Gson double:", () -> gson.fromJson(input, double.class)); > > run("Jackson double:", () -> mapper.readValue(input, double.class)); > > System.out.println(); > > } > > } > > > > > > the output is : > > Gson enum: > > result:null > > time:16 ms > > Jackson enum: > > failed > > time:17469 ms > > > > Gson int: > > failed > > time:32 ms > > Jackson int: > > failed > > time:17392 ms > > > > Gson double: > > result:Infinity > > time:8 ms > > Jackson double: > > result:Infinity > > time:18187 ms > > Ok, this is obviously a big problem. I filed: > > https://github.com/FasterXML/jackson-databind/issues/2157 > > to cover it, and this is related to earlier > > https://github.com/FasterXML/jackson-databind/issues/2141 > > Unfortunately problem is difficult to tackle. Jackson does figure out > magnitude part during decoding, and use "smallest possible" type > for integral numbers, from group of `int`, `long` and `BigInteger` > (for floating-point logic is bit different, but similar idea applies). > Problem occurs when target type needed by databinding is something > else: like very long integer number that is to be used for filling > `int` field. This operation is slow with JDK, and should be avoided > partly because overflow check would fail anyway -- but this is only > applied after very slow conversion, allowing DoS attacks. > > I have some questions on how this could and should be handled, > regarding things like: > > 1. On "too big" (big magnitude) number, should we typically truncate > to MAX_VALUE (for `double`), or throw exception (latter for integral I > think) > 2. On "too small" (small magnitude) number, should we truncate to zero > 3. If applying strict limits to longest BigInteger/BigDecimal, are > there safe length limits? Same use cases (like cryptography) use > relatively long numbers legitimately, for example > > But. Maybe I can figure out solution to bounds-check-fail case at least, > first. > > -+ Tatu +- > > ps. This is not limited to json either; almost certainly applicable to > XML, YAML, possibly CSV, Properties. So I think help would be useful > in figuring out extent of the problem. > -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user+unsubscr...@googlegroups.com. To post to this group, send email to jackson-user@googlegroups.com. For more options, visit https://groups.google.com/d/optout.