Add safe Jackson deserializers to prevent a DoS attack (#2511)

    Jackson uses `BigDecimal` for deserilization of `java.time` instants
    and durations. The problem is that if the users sets a very
    big number in the scientific notation (like `1e1000000000`), it
    takes forever to convert `BigDecimal` to `BigInteger` to convert it to a long value. An example of the stack trace:

    ```
        @test(timeout = 2000)
        public void parseBigDecimal(){
            new BigDecimal("1e1000000000").longValue();
        }

            at java.math.BigInteger.squareToomCook3(BigInteger.java:2074)
            at java.math.BigInteger.square(BigInteger.java:1899)
            at java.math.BigInteger.squareToomCook3(BigInteger.java:2053)
            at java.math.BigInteger.square(BigInteger.java:1899)
            at java.math.BigInteger.squareToomCook3(BigInteger.java:2051)
            at java.math.BigInteger.square(BigInteger.java:1899)
            at java.math.BigInteger.squareToomCook3(BigInteger.java:2049)
            at java.math.BigInteger.square(BigInteger.java:1899)
            at java.math.BigInteger.squareToomCook3(BigInteger.java:2049)
            at java.math.BigInteger.square(BigInteger.java:1899)
            at java.math.BigInteger.squareToomCook3(BigInteger.java:2055)
            at java.math.BigInteger.square(BigInteger.java:1899)
            at java.math.BigInteger.squareToomCook3(BigInteger.java:2049)
            at java.math.BigInteger.square(BigInteger.java:1899)
            at java.math.BigInteger.pow(BigInteger.java:2306)
            at java.math.BigDecimal.bigTenToThe(BigDecimal.java:3543)
            at java.math.BigDecimal.bigMultiplyPowerTen(BigDecimal.java:3676)
            at java.math.BigDecimal.setScale(BigDecimal.java:2445)
            at java.math.BigDecimal.toBigInteger(BigDecimal.java:3025)
    ```

    A fix would be to reject big decimal values outside of the Instant
    and Duration ranges.

    See:
    [1] FasterXML/jackson-databind#2141
    [2] https://reddit.com/r/java/comments/9jyv58/lowbandwidth_dos_vulnerability_in_jacksons/

Author: Luca Di Grazia

dataset/GitHub_Java/dropwizard.dropwizard/dropwizard-core/src/main/java/io/dropwizard/cli/EnvironmentCommand.java

@@ -6,8 +6,6 @@
 import io.dropwizard.setup.Environment;
 import net.sourceforge.argparse4j.inf.Namespace;
 
-import javax.annotation.Nullable;
-
 /**
  * A command which executes with a configured {@link Environment}.
  *
@@ -16,8 +14,6 @@
  */
 public abstract class EnvironmentCommand<T extends Configuration> extends ConfiguredCommand<T> {
     private final Application<T> application;
-    @Nullable
-    private Environment environment;
 
     /**
      * Creates a new environment command.
@@ -31,26 +27,14 @@ protected EnvironmentCommand(Application<T> application, String name, String des
         this.application = application;
     }
 
-    /**
-     * Returns the constructed environment or {@code null} if it hasn't been constructed yet.
-     *
-     * @return Returns the constructed environment or {@code null} if it hasn't been constructed yet
-     * @since 2.0.19
-     */
-    @Nullable
-    public Environment getEnvironment() {
-        return environment;
-    }
-
     @Override
     protected void run(Bootstrap<T> bootstrap, Namespace namespace, T configuration) throws Exception {
-        this.environment = new Environment(bootstrap.getApplication().getName(),
-                                           bootstrap.getObjectMapper(),
-                                           bootstrap.getValidatorFactory(),
-                                           bootstrap.getMetricRegistry(),
-                                           bootstrap.getClassLoader(),
-                                           bootstrap.getHealthCheckRegistry(),
-                                           configuration);
+        final Environment environment = new Environment(bootstrap.getApplication().getName(),
+                                                        bootstrap.getObjectMapper(),
+                                                        bootstrap.getValidatorFactory(),
+                                                        bootstrap.getMetricRegistry(),
+                                                        bootstrap.getClassLoader(),
+                                                        bootstrap.getHealthCheckRegistry());
         configuration.getMetricsFactory().configure(environment.lifecycle(),
                                                     bootstrap.getMetricRegistry());
         configuration.getServerFactory().configure(environment);

dataset/GitHub_Java/dropwizard.dropwizard/dropwizard-core/src/main/java/io/dropwizard/setup/Environment.java

@@ -76,7 +76,7 @@ public Environment(String name,
 
         this.adminEnvironment = new AdminEnvironment(adminContext, healthCheckRegistry, metricRegistry);
 
-        this.lifecycleEnvironment = new LifecycleEnvironment(metricRegistry);
+        this.lifecycleEnvironment = new LifecycleEnvironment();
 
         final DropwizardResourceConfig jerseyConfig = new DropwizardResourceConfig(metricRegistry);
         jerseyConfig.setContextPath(servletContext.getContextPath());
@@ -113,8 +113,6 @@ public Environment(String name,
 
     /**
      * Creates an environment and enables injecting validator feature.
-     *
-     * @since 2.0
      */
     public Environment(String name,
                        ObjectMapper objectMapper,

dataset/GitHub_Java/dropwizard.dropwizard/dropwizard-jackson/src/main/java/io/dropwizard/jackson/Jackson.java

@@ -1,7 +1,5 @@
 package io.dropwizard.jackson;
 
-import static com.fasterxml.jackson.databind.DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES;
-
 import com.fasterxml.jackson.core.JsonFactory;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.datatype.guava.GuavaModule;
@@ -51,8 +49,7 @@ public static ObjectMapper newObjectMapper(@Nullable JsonFactory jsonFactory) {
     public static ObjectMapper newMinimalObjectMapper() {
         return new ObjectMapper()
                 .registerModule(new GuavaModule())
-                .setSubtypeResolver(new DiscoverableSubtypeResolver())
-                .disable(FAIL_ON_UNKNOWN_PROPERTIES);
+                .setSubtypeResolver(new DiscoverableSubtypeResolver());
     }
 
     private static ObjectMapper configure(ObjectMapper mapper) {
@@ -67,7 +64,6 @@ private static ObjectMapper configure(ObjectMapper mapper) {
         mapper.registerModule(new JavaTimeModule());
         mapper.setPropertyNamingStrategy(new AnnotationSensitivePropertyNamingStrategy());
         mapper.setSubtypeResolver(new DiscoverableSubtypeResolver());
-        mapper.disable(FAIL_ON_UNKNOWN_PROPERTIES);
 
         mapper.registerModule(new SafeJavaTimeModule());
         return mapper;

dataset/GitHub_Java/dropwizard.dropwizard/dropwizard-jackson/src/main/java/io/dropwizard/jackson/SafeDurationDeserializer.java

@@ -0,0 +1,39 @@
+package io.dropwizard.jackson;
+
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.core.JsonTokenId;
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.deser.std.StdScalarDeserializer;
+import com.fasterxml.jackson.datatype.jsr310.deser.DurationDeserializer;
+
+import javax.annotation.Nullable;
+import java.io.IOException;
+import java.math.BigDecimal;
+import java.time.Duration;
+
+/**
+ * Safe deserializer for `Instant` that rejects big decimal values out of the range of Long.
+ * They take forever to deserialize and can be used in a DoS attack.
+ */
+class SafeDurationDeserializer extends StdScalarDeserializer<Duration> {
+
+    private static final BigDecimal MAX_DURATION = new BigDecimal(Long.MAX_VALUE);
+    private static final BigDecimal MIN_DURATION = new BigDecimal(Long.MIN_VALUE);
+
+    SafeDurationDeserializer() {
+        super(Duration.class);
+    }
+
+    @Override
+    @Nullable
+    public Duration deserialize(JsonParser parser, DeserializationContext context) throws IOException {
+        if (parser.getCurrentTokenId() == JsonTokenId.ID_NUMBER_FLOAT) {
+            BigDecimal value = parser.getDecimalValue();
+            // new BigDecimal("1e1000000000").longValue() takes forever to complete
+            if (value.compareTo(MAX_DURATION) > 0 || value.compareTo(MIN_DURATION) < 0) {
+                throw new IllegalArgumentException("Value is out of range of Duration");
+            }
+        }
+        return DurationDeserializer.INSTANCE.deserialize(parser, context);
+    }
+}

dataset/GitHub_Java/dropwizard.dropwizard/dropwizard-jackson/src/main/java/io/dropwizard/jackson/SafeInstantDeserializer.java

@@ -0,0 +1,43 @@
+package io.dropwizard.jackson;
+
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.datatype.jsr310.deser.InstantDeserializer;
+
+import javax.annotation.Nullable;
+import java.math.BigDecimal;
+import java.time.Instant;
+import java.time.ZoneId;
+import java.time.format.DateTimeFormatter;
+import java.time.temporal.Temporal;
+import java.time.temporal.TemporalAccessor;
+import java.util.function.BiFunction;
+import java.util.function.Function;
+
+/**
+ * Safe deserializer for `Instant` that rejects big decimal values that take forever to deserialize
+ * and can be used in a DoS attack.
+ */
+class SafeInstantDeserializer<T extends Temporal> extends InstantDeserializer<T> {
+
+    private static final BigDecimal MAX_INSTANT = new BigDecimal(Instant.MAX.getEpochSecond() + 1);
+    private static final BigDecimal MIN_INSTANT = new BigDecimal(Instant.MIN.getEpochSecond());
+
+    SafeInstantDeserializer(Class<T> supportedType,
+                            DateTimeFormatter formatter,
+                            Function<TemporalAccessor, T> parsedToValue,
+                            Function<FromIntegerArguments, T> fromMilliseconds,
+                            Function<FromDecimalArguments, T> fromNanoseconds,
+                            @Nullable BiFunction<T, ZoneId, T> adjust,
+                            boolean replaceZeroOffsetAsZ) {
+        super(supportedType, formatter, parsedToValue, fromMilliseconds, fromNanoseconds, adjust, replaceZeroOffsetAsZ);
+    }
+
+    @Override
+    protected T _fromDecimal(DeserializationContext context, BigDecimal value) {
+        // new BigDecimal("1e1000000000").longValue() takes forever to complete
+        if (value.compareTo(MAX_INSTANT) >= 0 || value.compareTo(MIN_INSTANT) < 0) {
+            throw new IllegalArgumentException("Value is out of range of Instant");
+        }
+        return super._fromDecimal(context, value);
+    }
+}

dataset/GitHub_Java/dropwizard.dropwizard/dropwizard-jackson/src/main/java/io/dropwizard/jackson/SafeJavaTimeModule.java

@@ -0,0 +1,53 @@
+package io.dropwizard.jackson;
+
+import com.fasterxml.jackson.databind.module.SimpleModule;
+import com.fasterxml.jackson.datatype.jsr310.deser.InstantDeserializer;
+import com.fasterxml.jackson.module.paramnames.PackageVersion;
+
+import java.time.Duration;
+import java.time.Instant;
+import java.time.OffsetDateTime;
+import java.time.ZonedDateTime;
+import java.time.format.DateTimeFormatter;
+
+/**
+ * Module that provides safe deserializers for Instant and Duration that reject big decimal values
+ * outside of their range which are extremely CPU-heavy to parse.
+ */
+class SafeJavaTimeModule extends SimpleModule {
+
+    private static final InstantDeserializer<Instant> INSTANT = new SafeInstantDeserializer<>(
+        Instant.class, DateTimeFormatter.ISO_INSTANT,
+        Instant::from,
+        a -> Instant.ofEpochMilli(a.value),
+        a -> Instant.ofEpochSecond(a.integer, a.fraction),
+        null,
+        true
+    );
+
+    private static final InstantDeserializer<OffsetDateTime> OFFSET_DATE_TIME = new SafeInstantDeserializer<>(
+        OffsetDateTime.class, DateTimeFormatter.ISO_OFFSET_DATE_TIME,
+        OffsetDateTime::from,
+        a -> OffsetDateTime.ofInstant(Instant.ofEpochMilli(a.value), a.zoneId),
+        a -> OffsetDateTime.ofInstant(Instant.ofEpochSecond(a.integer, a.fraction), a.zoneId),
+        (d, z) -> d.withOffsetSameInstant(z.getRules().getOffset(d.toLocalDateTime())),
+        true
+    );
+
+    private static final InstantDeserializer<ZonedDateTime> ZONED_DATE_TIME = new SafeInstantDeserializer<>(
+        ZonedDateTime.class, DateTimeFormatter.ISO_ZONED_DATE_TIME,
+        ZonedDateTime::from,
+        a -> ZonedDateTime.ofInstant(Instant.ofEpochMilli(a.value), a.zoneId),
+        a -> ZonedDateTime.ofInstant(Instant.ofEpochSecond(a.integer, a.fraction), a.zoneId),
+        ZonedDateTime::withZoneSameInstant,
+        false
+    );
+
+    SafeJavaTimeModule() {
+        super(PackageVersion.VERSION);
+        addDeserializer(Instant.class, INSTANT);
+        addDeserializer(OffsetDateTime.class, OFFSET_DATE_TIME);
+        addDeserializer(ZonedDateTime.class, ZONED_DATE_TIME);
+        addDeserializer(Duration.class, new SafeDurationDeserializer());
+    }
+}

dataset/GitHub_Java/dropwizard.dropwizard/dropwizard-jackson/src/test/java/io/dropwizard/jackson/JacksonDeserializationOfBigNumbersToDurationTest.java

@@ -3,70 +3,69 @@
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.databind.JsonMappingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import org.junit.jupiter.api.Test;
+import org.junit.Test;
 
 import javax.annotation.Nullable;
 import java.time.Duration;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
-import static org.junit.jupiter.api.Assertions.assertTimeout;
-
 
 public class JacksonDeserializationOfBigNumbersToDurationTest {
 
     private final ObjectMapper objectMapper = Jackson.newObjectMapper();
 
-    @Test
-    void testDoesNotAttemptToDeserializeExtremelyBigNumbers() throws Exception {
-        Task task = objectMapper.readValue("{\"id\": 42, \"duration\": 1e1000000000}", Task.class);
-        assertTimeout(Duration.ofSeconds(5L), () -> assertThat(task.getDuration()).isEqualTo(Duration.ofSeconds(0)));
+    @Test(timeout = 5000)
+    public void testDoesNotAttemptToDeserializeExtremelyBigNumbers() {
+        assertThatExceptionOfType(JsonMappingException.class).isThrownBy(
+            () -> objectMapper.readValue("{\"id\": 42, \"duration\": 1e1000000000}", Task.class))
+            .withMessageStartingWith("Value is out of range of Duration");
     }
 
     @Test
-    void testCanDeserializeZero() throws Exception {
+    public void testCanDeserializeZero() throws Exception {
         Task task = objectMapper.readValue("{\"id\": 42, \"duration\": 0}", Task.class);
         assertThat(task.getDuration()).isEqualTo(Duration.ofSeconds(0));
     }
 
     @Test
-    void testCanDeserializeNormalTimestamp() throws Exception {
+    public void testCanDeserializeNormalTimestamp() throws Exception {
         Task task = objectMapper.readValue("{\"id\": 42, \"duration\": 30}", Task.class);
         assertThat(task.getDuration()).isEqualTo(Duration.ofSeconds(30));
     }
 
     @Test
-    void testCanDeserializeNormalTimestampWithNanoseconds() throws Exception {
+    public void testCanDeserializeNormalTimestampWithNanoseconds() throws Exception {
         Task task = objectMapper.readValue("{\"id\": 42, \"duration\": 30.314400507}", Task.class);
         assertThat(task.getDuration()).isEqualTo(Duration.ofSeconds(30, 314400507L));
     }
 
     @Test
-    void testCanDeserializeFromString() throws Exception {
+    public void testCanDeserializeFromString() throws Exception {
         Task task = objectMapper.readValue("{\"id\": 42, \"duration\": \"PT30S\"}", Task.class);
         assertThat(task.getDuration()).isEqualTo(Duration.ofSeconds(30));
     }
 
     @Test
-    void testCanDeserializeMinDuration() throws Exception {
+    public void testCanDeserializeMinDuration() throws Exception {
         Task task = objectMapper.readValue("{\"id\": 42, \"duration\": -9223372036854775808}", Task.class);
         assertThat(task.getDuration()).isEqualTo(Duration.ofSeconds(Long.MIN_VALUE));
     }
 
     @Test
-    void testCanDeserializeMaxDuration() throws Exception {
+    public void testCanDeserializeMaxDuration() throws Exception {
         Task task = objectMapper.readValue("{\"id\": 42, \"duration\": 9223372036854775807}", Task.class);
         assertThat(task.getDuration()).isEqualTo(Duration.ofSeconds(Long.MAX_VALUE));
     }
 
     @Test
-    void testCanNotDeserializeValueMoreThanMaxDuration() {
+    public void testCanNotDeserializeValueMoreThanMaxDuration() {
         assertThatExceptionOfType(JsonMappingException.class).isThrownBy(
             () -> objectMapper.readValue("{\"id\": 42, \"duration\": 9223372036854775808}", Task.class));
     }
 
     @Test
-    void testCanNotDeserializeValueLessThanMinDuration() {
+    public void testCanNotDeserializeValueLessThanMinDuration() {
         assertThatExceptionOfType(JsonMappingException.class).isThrownBy(
             () -> objectMapper.readValue("{\"id\": 42, \"duration\": -9223372036854775809}", Task.class));
     }

dataset/GitHub_Java/dropwizard.dropwizard/dropwizard-jackson/src/test/java/io/dropwizard/jackson/JacksonDeserializationOfBigNumbersToInstantTest.java

@@ -3,64 +3,63 @@
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.databind.JsonMappingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import org.junit.jupiter.api.Test;
+import org.junit.Test;
 
 import javax.annotation.Nullable;
-import java.time.Duration;
 import java.time.Instant;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
-import static org.junit.jupiter.api.Assertions.assertTimeout;
 
 public class JacksonDeserializationOfBigNumbersToInstantTest {
 
     private final ObjectMapper objectMapper = Jackson.newObjectMapper();
 
-    @Test
-    void testDoesNotAttemptToDeserializeExtremelBigNumbers() throws Exception {
-        Event event = objectMapper.readValue("{\"id\": 42, \"createdAt\": 1e1000000000}", Event.class);
-        assertTimeout(Duration.ofSeconds(5L), () -> assertThat(event.getCreatedAt()).isEqualTo(Instant.ofEpochMilli(0)));
+    @Test(timeout = 5000)
+    public void testDoesNotAttemptToDeserializeExtremelBigNumbers() {
+        assertThatExceptionOfType(JsonMappingException.class).isThrownBy(
+            () -> objectMapper.readValue("{\"id\": 42, \"createdAt\": 1e1000000000}", Event.class))
+            .withMessageStartingWith("Value is out of range of Instant");
     }
 
     @Test
-    void testCanDeserializeZero() throws Exception {
+    public void testCanDeserializeZero() throws Exception {
         Event event = objectMapper.readValue("{\"id\": 42, \"createdAt\": 0}", Event.class);
         assertThat(event.getCreatedAt()).isEqualTo(Instant.ofEpochMilli(0));
     }
 
     @Test
-    void testCanDeserializeNormalTimestamp() throws Exception {
+    public void testCanDeserializeNormalTimestamp() throws Exception {
         Event event = objectMapper.readValue("{\"id\": 42, \"createdAt\": 1538326357}", Event.class);
         assertThat(event.getCreatedAt()).isEqualTo(Instant.ofEpochMilli(1538326357000L));
     }
 
     @Test
-    void testCanDeserializeNormalTimestampWithNanoseconds() throws Exception {
+    public void testCanDeserializeNormalTimestampWithNanoseconds() throws Exception {
         Event event = objectMapper.readValue("{\"id\": 42, \"createdAt\": 1538326357.298509112}", Event.class);
         assertThat(event.getCreatedAt()).isEqualTo(Instant.ofEpochSecond(1538326357, 298509112L));
     }
 
     @Test
-    void testCanDeserializeMinInstant() throws Exception {
+    public void testCanDeserializeMinInstant() throws Exception {
         Event event = objectMapper.readValue("{\"id\": 42, \"createdAt\": -31557014167219200}", Event.class);
         assertThat(event.getCreatedAt()).isEqualTo(Instant.MIN);
     }
 
     @Test
-    void testCanDeserializeMaxInstant() throws Exception {
+    public void testCanDeserializeMaxInstant() throws Exception {
         Event event = objectMapper.readValue("{\"id\": 42, \"createdAt\": 31556889864403199.999999999}", Event.class);
         assertThat(event.getCreatedAt()).isEqualTo(Instant.MAX);
     }
 
     @Test
-    void testCanNotDeserializeValueMoreThanMaxInstant() {
+    public void testCanNotDeserializeValueMoreThanMaxInstant() {
         assertThatExceptionOfType(JsonMappingException.class).isThrownBy(
             () -> objectMapper.readValue("{\"id\": 42, \"createdAt\": 31556889864403200}", Event.class));
     }
 
     @Test
-    void testCanNotDeserializeValueLessThanMaxInstant() {
+    public void testCanNotDeserializeValueLessThanMaxInstant() {
         assertThatExceptionOfType(JsonMappingException.class).isThrownBy(
             () -> objectMapper.readValue("{\"id\": 42, \"createdAt\": -31557014167219201}", Event.class));
     }