Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Number size limits (max 50 characters), enforcement #432

Merged
merged 20 commits into from
Jun 5, 2023
Merged

Add Number size limits (max 50 characters), enforcement #432

merged 20 commits into from
Jun 5, 2023

Conversation

tatu-at-datastax
Copy link
Contributor

@tatu-at-datastax tatu-at-datastax commented May 17, 2023
edited
Loading

What this PR does:

Will impose limit to maximum length of JSON Number values we accept in JSON Documents (based on textual length): initial value configured to 50 characters.
In theory we could limit to lower (some documentation suggest maximum number of significant digits would be 21) but since the goal here is to reduce likelihood of DoS style resource consumption, we only need to prevent thousands of digits -- performance testing done by Jackson project suggested change not below 1000 digits.

Which issue(s) this PR fixes:
Fixes #172

Checklist

  • Changes manually tested
  • Automated Tests added/updated
  • Documentation added/updated
  • CLA Signed: DataStax CLA

@tatu-at-datastax tatu-at-datastax self-assigned this May 17, 2023
@tatu-at-datastax
Copy link
Contributor Author

Hmmmh. Looks like I found a Record-deserialization regression b/w Jackson 2.14 and 2.15. Yikes. Need to troubleshoot....

@ivansenic
Copy link
Contributor

@tatu-at-datastax Guess not needed anymore with #439 ?

@tatu-at-datastax
Copy link
Contributor Author

@ivansenic We still need 2.15.x (likely 2.15.2) to get Number length limits. But I need to get 2.15.2 released first, to resolve issue uncovered by my "interesting" usage of setter method on records (fix is in 2.15 branch).

@tatu-at-datastax
Copy link
Contributor Author

Now that Jackson 2.15.2 is out, with relevant fix, can unblock this. Will first get ITs to run to make sure everything still works, then add tighter number length limits and matching tests.

@tatu-at-datastax tatu-at-datastax changed the title (WIP) Add Jackson dep/version override to use 2.15.1 (WIP) Add Jackson dep/version override to use 2.15.2 May 31, 2023
@tatu-at-datastax tatu-at-datastax changed the title (WIP) Add Jackson dep/version override to use 2.15.2 (WIP) Add Number size limits Jun 1, 2023
tatu-at-datastax
tatu-at-datastax commented Jun 2, 2023
View reviewed changes
src/main/java/io/stargate/sgv2/jsonapi/api/model/command/Command.java
@JsonTypeInfo(
use = JsonTypeInfo.Id.NAME,
include = JsonTypeInfo.As.WRAPPER_OBJECT,
property = "commandName")
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"property" only used with As.PROPERTY, not with WRAPPER_OBJECT.

tatu-at-datastax
tatu-at-datastax commented Jun 2, 2023
View reviewed changes
src/test/java/io/stargate/sgv2/jsonapi/api/v1/InsertIntegrationTest.java
@@ -100,16 +100,16 @@ public void insertDocument() {
public void insertDocumentWithDateValue() {
String json =
"""
{
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not done on purpose but ./mvnw fmt:format sometimes/somehow seems to decide it wants to reformat. :-(

@tatu-at-datastax tatu-at-datastax marked this pull request as ready for review June 2, 2023 22:46
@tatu-at-datastax tatu-at-datastax requested a review from a team as a code owner June 2, 2023 22:46
ivansenic
ivansenic approved these changes Jun 5, 2023
View reviewed changes
Copy link
Contributor

@ivansenic ivansenic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine, just one thing to check imo..

src/main/java/io/stargate/sgv2/jsonapi/config/DocumentLimitsConfig.java Show resolved Hide resolved
pom.xml Show resolved Hide resolved
@tatu-at-datastax
Copy link
Contributor Author

@ivansenic

Are you sure this is not preventing the values to be changed during the runtime?

I am not sure it would be possible to change these during runtime (to have effect dynamically), as they are typically injected into other handlers. I guess I haven't tried that, and in kubernetes environment I was assuming change to pod would need to restart it anyway (to pass system properties or env variables).

But I'll read bit more about this annotation to understand it better.

@tatu-at-datastax tatu-at-datastax changed the title (WIP) Add Number size limits Add Number size limits (max 50 characters), enforcement Jun 5, 2023
@tatu-at-datastax
Copy link
Contributor Author

Since injection of DocumentLimitsConfig otherwise fails, preventing injection of ObjectMapper which in turns in needed by unit tests, right now annotation @StaticInitSafe is required, so will merge.

@tatu-at-datastax tatu-at-datastax merged commit 7b08da4 into main Jun 5, 2023
@tatu-at-datastax tatu-at-datastax deleted the tatu/172-number-len-limits branch June 5, 2023 16:59
@tatu-at-datastax tatu-at-datastax mentioned this pull request Jun 8, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ivansenic ivansenic ivansenic approved these changes

Assignees

@tatu-at-datastax tatu-at-datastax

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Decide on the size of numbers we accept
2 participants
@tatu-at-datastax @ivansenic