Description
Spotted in jsoniter-scala benchmark tests.
Scala BitSets are sized based on the largest int stored in them (similar to Java implementation). This means that if you accept input files from untrusted parties that malicious users can craft an input file that leads to the parser using a lot more memory than you would expect.
BitSet serialization already works in jackson-module-scala (jn
jackson-module-scala 2.13.3, for instance). An array with sorted ints is output (Scala BitSets implement SortedSet[Int].
BitSet deserialization does not work in jackson-module-scala up to v2.14.0.
Exceptions look like:
[info] java.lang.IllegalArgumentException: Unsupported value type: java.lang.Object
[info] at com.fasterxml.jackson.module.scala.introspect.OrderingLocator$.$anonfun$locate$3(OrderingLocator.scala:37)
[info] at scala.Option.getOrElse(Option.scala:201)
[info] at com.fasterxml.jackson.module.scala.introspect.OrderingLocator$.locate(OrderingLocator.scala:26)
[info] at com.fasterxml.jackson.module.scala.deser.SortedSetDeserializerModule$$anon$1.builderFor(SortedSetDeserializerModule.scala:27)
[info] at com.fasterxml.jackson.module.scala.deser.SortedSetDeserializerModule$$anon$1.builderFor(SortedSetDeserializerModule.scala:12)
[info] at com.fasterxml.jackson.module.scala.deser.GenericFactoryDeserializerResolver.$anonfun$builderFor$3(GenericFactoryDeserializerResolver.scala:28)
In jackson-module-scala v2.14.0 and above, you can addModule(BitSetDeserializerModule). Use of this additional module is discouraged but if you know the risks and are sure the inputs documents you will parse are safe, then you can enable this.
jackson-module-scala v2.14.0 also chnages the exception you should get if you don't register the new module but attempt to deserialize a Scala BitSet. This will now lead to an InvalidDefinitionException.