Reproduce DoS by hash map collisions for uJson

[plokhotnyuk]

See https://github.com/lihaoyi/upickle/issues/273

EDIT: @lihaoyi removed the ticked above including all suggestions from the Scala community about how to fix it... Bellow is an original report with code and instructions to reproduce this security flaw...

Sub-quadratic decreasing of throughput when number of JSON object fields (with keys that have the same hash code) is increasing

On contemporary CPUs parsing of such JSON object (with a sequence of 100000 fields like below that is ~1.6Mb) can took ~200 seconds:

{
"!!sjyehe":null,
"!!sjyeiF":null,
"!!sjyej'":null,
"!!sjyfIe":null,
"!!sjyfJF":null,
...
}

Below are results of the benchmark where size is a number of such fields:

[info] REMEMBER: The numbers below are just data. To gain reusable insights, you need to follow up on
[info] why the numbers are the way they are. Use profilers (see -prof, -lprof), design factorial
[info] experiments, perform baseline and negative tests that provide experimental control, make sure
[info] the benchmarking environment is safe on JVM/OS/HW level, ask for reviews from the domain experts.
[info] Do not assume the numbers tell you what you want them to tell.
[info] Benchmark                   (size)   Mode  Cnt        Score   Error  Units
[info] ExtractFieldsReading.uJson       1  thrpt       1094798.399          ops/s
[info] ExtractFieldsReading.uJson      10  thrpt        226871.642          ops/s
[info] ExtractFieldsReading.uJson     100  thrpt         10772.525          ops/s
[info] ExtractFieldsReading.uJson    1000  thrpt           212.781          ops/s
[info] ExtractFieldsReading.uJson   10000  thrpt             1.627          ops/s
[info] ExtractFieldsReading.uJson  100000  thrpt             0.005          ops/s

To run that benchmarks on your JDK:

1. Install latest version of sbt and/or ensure that it already installed properly:

sbt about

2. Clone jsoniter-scala repo:

git clone https://github.com/plokhotnyuk/jsoniter-scala.git

3. Enter to the cloned directory and checkout for the specific branch:

cd jsoniter-scala
git checkout uJson-DoS-by-hashmap-collisions

4. Run benchmarks using a path parameter to your JDK:

sbt -no-colors 'jsoniter-scala-benchmark/jmh:run -jvm /usr/lib/jvm/jdk-11/bin/java -wi 1 -i 1 ExtractFields.*uJson'

[codecov]

Codecov Report

Merging #325 into master will decrease coverage by 0.03%.
The diff coverage is 0%.

@@            Coverage Diff             @@
##           master     #325      +/-   ##
==========================================
- Coverage     100%   99.96%   -0.04%     
==========================================
  Files         181      181              
  Lines        5297     5299       +2     
  Branches      501      528      +27     
==========================================
  Hits         5297     5297              
- Misses          0        2       +2

Impacted Files	Coverage Δ
...soniter_scala/benchmark/ExtractFieldsReading.scala	88.23% <0%> (-11.77%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f39b98e...b6cbb54. Read the comment docs.

[codecov]

Codecov Report

Merging #325 into master will decrease coverage by 0.03%.
The diff coverage is 0.00%.

@@             Coverage Diff             @@
##            master     #325      +/-   ##
===========================================
- Coverage   100.00%   99.96%   -0.04%     
===========================================
  Files          180      180              
  Lines         5402     5404       +2     
  Branches       556      551       -5     
===========================================
  Hits          5402     5402              
- Misses           0        2       +2     

Impacted Files	Coverage Δ
...soniter_scala/benchmark/ExtractFieldsReading.scala	87.50% <0.00%> (-12.50%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0e2ed85...2b7a003. Read the comment docs.

[plokhotnyuk]

It is reproducible with uJson 0.9.6 still.

Here is a screenshot with the flame graph for the affected stack: