Open nyh opened 3 years ago
Similar to #6794, this issue can be used as a DoS attack against Scylla, where sending a short request can cause Scylla to do arbitrarily-large allocations, potentially std::bad_alloc, and arbitrarily-long scheduler stalls and CPU usage.
This can be an important risk in the future, when we add multi-tenancy (where one tenant can use this attack to DoS a different tenant) . For today's single-tenant installations it is only a serious problem in very specific applications which use a combination of the "decimal" type and the "tojson" function, and sets the decimal column from unchecked user input.
It is possible that we have similar problems in other places which print or calculate with the "decimal" type, not just in to toJson()
.
Scylla's implementation of toJson() for the
decimal
type (the variable-precision number type) mistakenly avoids using exponents in its representation, although exponents are perfectly legal in JSON's number format. So for the number -1.23E-12 it prints-0.00000000000123
, and for the number 1e100 it prints10000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
. For these example numbers, the representation is just silly and a bit wasteful - but for much larger numbers, the result can be huge, and most likely cause a failure to allocate the buffer to build it. For example, the perfectly legal (though not very useful?) number 1e1000000000 needs a billion bytes for its result. So for example the testFails with the error:
We have an xfailing reproducing cql-pytest:
test_json.py
::test_tojson_decimal_high_mantissa
.