diff --git a/CHANGELOG.md b/CHANGELOG.md index 80713df..7b623bd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Changelog +## 1.4.1 (06.07.2023) + +* Add limit to decoded integer sizes of 1024 digits. This can be changed + with the `decoding_integer_digit_limit` app env config. + ## 1.4.0 (12.09.2022) ### Enhancements diff --git a/lib/decoder.ex b/lib/decoder.ex index 8ffe178..782629f 100644 --- a/lib/decoder.ex +++ b/lib/decoder.ex @@ -156,6 +156,13 @@ defmodule Jason.Decoder do error(original, skip + 1) end + if function_exported?(Application, :compile_env, 3) do + @integer_digit_limit Application.compile_env(:jason, :decoding_integer_digit_limit, 1024) + else + # use apply to avoid warnings in newer Elixir versions + @integer_digit_limit apply(Application, :get_env, [:jason, :decoding_integer_digit_limit, 1024]) + end + defp number(<>, original, skip, stack, decode, len) when byte in '0123456789' do number(rest, original, skip, stack, decode, len + 1) @@ -168,7 +175,11 @@ defmodule Jason.Decoder do number_exp_copy(rest, original, skip + len + 1, stack, decode, prefix) end defp number(<>, original, skip, stack, decode, len) do - int = String.to_integer(binary_part(original, skip, len)) + token = binary_part(original, skip, len) + if byte_size(token) > @integer_digit_limit do + token_error(token, skip) + end + int = String.to_integer(token) continue(rest, original, skip + len, stack, decode, int) end diff --git a/test/decode_test.exs b/test/decode_test.exs index 937388d..913fdb5 100644 --- a/test/decode_test.exs +++ b/test/decode_test.exs @@ -171,6 +171,11 @@ defmodule Jason.DecodeTest do assert parse!(body) == expected end + test "large integers" do + massive_integer = String.duplicate("1", 2_000) + assert_fail_with(massive_integer, "unexpected sequence at position 0: #{inspect massive_integer}") + end + defp parse!(json, opts \\ []) do Jason.decode!(json, opts) end