Denial of service when parsing a big JSON number as Instant/ZonedDateTime/OffsetDateTime

[plokhotnyuk]

It looks the same as: playframework/play-json#180

Reproduced by the following commit: plokhotnyuk/jsoniter-scala@0d53faf

The security bug is in InstantDeserializer and DurationDeserializer of the jackson-datatype-jsr310 artifact:

    protected T _fromDecimal(DeserializationContext context, BigDecimal value)
    {
        long seconds = value.longValue();   // <- hangs in case of 10000000e100000000 
        int nanoseconds = DecimalUtils.extractNanosecondDecimal(value, seconds);
        return fromNanoseconds.apply(new FromDecimalArguments(
                seconds, nanoseconds, getZone(context)));
    }

W/A is to use custom serializers for all types that are parsed with InstantDeserializer and DurationDeserializer by registering them after (or instead of) registration of the JavaTimeModule module.

[plokhotnyuk]

Possible solution (proposed by @h8 ) would be to use bounding check for the BigDecimal value before the longValue() call.

As example, for InstantDeserializer that bounds can be derived from Instant.MIN and Instant.MAX values: new java.math.BigDecimal(java.time.Instant.MIN.getEpochSecond()) and new java.math.BigDecimal(java.time.Instant.MAX.getEpochSecond()).

[plokhotnyuk]

@cowtowncoder it is low-bandwidth DoS vulnerability and affects all products that uses Jackson's InstantDeserializer and DurationDeserializer for parsing of java.time.Duration, java.time.Instant, java.time.OffsetDateTime, and java.time.ZonedDateTime types so please fix it ASAP or let us know if any help is wanted.

[abracadv8]

I made a best guess. I just am throwing a parse exception if it is out of bounds. I can clean up the error message however or perform a pull request if it looks good.

Not sure if this needs to be back ported to other versions as well.

[lsamayoa]

Reddit post: https://www.reddit.com/r/java/comments/9jyv58/lowbandwidth_dos_vulnerability_in_jacksons/