-
-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reproduce DoS by hash map collisions for uJson #325
Conversation
Codecov Report
@@ Coverage Diff @@
## master #325 +/- ##
==========================================
- Coverage 100% 99.96% -0.04%
==========================================
Files 181 181
Lines 5297 5299 +2
Branches 501 528 +27
==========================================
Hits 5297 5297
- Misses 0 2 +2
Continue to review full report at Codecov.
|
Codecov Report
@@ Coverage Diff @@
## master #325 +/- ##
===========================================
- Coverage 100.00% 99.96% -0.04%
===========================================
Files 180 180
Lines 5402 5404 +2
Branches 556 551 -5
===========================================
Hits 5402 5402
- Misses 0 2 +2
Continue to review full report at Codecov.
|
8ba15e7
to
795401c
Compare
a343fcb
to
178701f
Compare
f43e235
to
d91165e
Compare
6e0e397
to
f0ebbe1
Compare
b408876
to
2aa234e
Compare
8a28c79
to
b1cec24
Compare
e2f7a7a
to
89920a9
Compare
5dc9b0f
to
51dcd60
Compare
74b71bf
to
b898694
Compare
ad1ac7c
to
53fd6b7
Compare
See https://github.com/lihaoyi/upickle/issues/273
EDIT: @lihaoyi removed the ticked above including all suggestions from the Scala community about how to fix it... Bellow is an original report with code and instructions to reproduce this security flaw...
Sub-quadratic decreasing of throughput when number of JSON object fields (with keys that have the same hash code) is increasing
On contemporary CPUs parsing of such JSON object (with a sequence of 100000 fields like below that is ~1.6Mb) can took ~200 seconds:
Below are results of the benchmark where
size
is a number of such fields:To run that benchmarks on your JDK:
sbt
and/or ensure that it already installed properly:jsoniter-scala
repo: