Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-14925

DecimalSerializer.toString() can be used as OOM attack

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Patch Available
    • Priority: Low
    • Resolution: Unresolved
    • Fix Version/s: None
    • Component/s: Legacy/Core
    • Labels:
      None
    • Severity:
      Low

      Description

      Currently, in DecimalSerializer.toString(value), it uses BigDecimal.toPlainString() which generates huge string for large scale values.

       

      BigDecimal d = new BigDecimal("1e-" + (Integer.MAX_VALUE - 6));
      d.toPlainString(); // oom

       

      Propose to use BigDecimal.toString() when scale is larger than 100 which is configurable via -Dcassandra.decimal.maxscaleforstring

       

      patch circle-ci
      trunk unit

      The code should apply cleanly to 3.0+.

        Attachments

          Activity

            People

            • Assignee:
              jasonstack ZhaoYang
              Reporter:
              jasonstack ZhaoYang
              Authors:
              ZhaoYang
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: