juneau-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Bognar <jamesbog...@gmail.com>
Subject Re: Security
Date Fri, 10 Nov 2017 17:47:08 GMT
Hi Lukasz,

That's for these great questions!

Our unit tests cover and pass the scenarios described here:
http://seriot.ch/json/parsing.html

However, we don't have any limiters in place to prevent you from, for
example, creating an infinitely long String field (other than the built-in
limitations on the StringBuilder class itself which is limited by an int).

I'm thinking it can be solved at the REST servlet interface with a
BoundedReader (
https://commons.apache.org/proper/commons-io/javadocs/api-2.5/org/apache/commons/io/input/BoundedReader.html).
The parsers themselves wouldn't need to be changed.

Thoughts anyone?  What would be an appropriate default size limit on the
input?  100MB?


On Thu, Nov 9, 2017 at 11:27 PM, Lukasz Lenart <lukaszlenart@apache.org>
wrote:

> One more question: did you test your JSON lib against DoS attack? Like
> posting a JSON which will consume a lot of memory during deserialization by
> creating nested objects?
>
>
> Cheers
> --
> Lukasz
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message