juneau-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Bognar <jamesbog...@gmail.com>
Subject Re: Security
Date Fri, 10 Nov 2017 17:47:08 GMT
Hi Lukasz,

That's for these great questions!

Our unit tests cover and pass the scenarios described here:

However, we don't have any limiters in place to prevent you from, for
example, creating an infinitely long String field (other than the built-in
limitations on the StringBuilder class itself which is limited by an int).

I'm thinking it can be solved at the REST servlet interface with a
BoundedReader (
The parsers themselves wouldn't need to be changed.

Thoughts anyone?  What would be an appropriate default size limit on the
input?  100MB?

On Thu, Nov 9, 2017 at 11:27 PM, Lukasz Lenart <lukaszlenart@apache.org>

> One more question: did you test your JSON lib against DoS attack? Like
> posting a JSON which will consume a lot of memory during deserialization by
> creating nested objects?
> Cheers
> --
> Lukasz

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message