Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DoS vulnerability with uPickle for Scala 3 #3

Closed
plokhotnyuk opened this issue Nov 22, 2022 · 2 comments
Closed

DoS vulnerability with uPickle for Scala 3 #3

plokhotnyuk opened this issue Nov 22, 2022 · 2 comments

Comments

@plokhotnyuk
Copy link

See com-lihaoyi/upickle#416
@yakivy yakivy changed the title DoS vulnerability with uPuckle for Scala 3 DoS vulnerability with uPickle for Scala 3 Nov 23, 2022
@yakivy
Copy link
Owner

yakivy commented Nov 23, 2022

@plokhotnyuk upickle dependency is compile time only so it's a user responsibility to pick the lib version. I don't think that there is something to fix on my end. Feel free to reopen the issue if you have something to add.

@yakivy yakivy closed this as completed Nov 23, 2022
@plokhotnyuk
Copy link
Author

The root of the problem is in default implementations of Scala's Map and Set scala/bug#11203 .

But due to shifting responsibility a lot of Scala libraries are affected.

I think that at least it should be clearly stated in docs that the affected library is vulnerable for the untrusted input and the responsibility is shifted to the user.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@plokhotnyuk @yakivy