Use 256-bit limitation for mantissa length when parsing floating poin…

…t numbers (#1302)
zio · Feb 11, 2025 · d214beb · d214beb
1 parent 2a0c55a
commit d214beb
Show file tree

Hide file tree

Showing 17 changed files with 258 additions and 198 deletions.
diff --git a/docs/security.md b/docs/security.md
@@ -94,4 +94,4 @@ circe  4529 ( 7456)  2037 (1533)
 
 This attack is very effective in schemas with lots of numbers, causing ops/sec to be halved with a 33% increase in memory usage.
 
-`zio-json` is resistant to a wide range of number based attacks because it uses a from-scratch number parser that will exit early when the number of bits of any number exceeds 128 bits, which can be customized by the system property `zio.json.number.bits`.
+`zio-json` is resistant to a wide range of number based attacks because it uses a from-scratch number parser that will exit early when the number of bits of any number exceeds 256 bits.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -94,4 +94,4 @@ circe 4529 ( 7456) 2037 (1533)

		This attack is very effective in schemas with lots of numbers, causing ops/sec to be halved with a 33% increase in memory usage.

		`zio-json` is resistant to a wide range of number based attacks because it uses a from-scratch number parser that will exit early when the number of bits of any number exceeds 128 bits, which can be customized by the system property `zio.json.number.bits`.
		`zio-json` is resistant to a wide range of number based attacks because it uses a from-scratch number parser that will exit early when the number of bits of any number exceeds 256 bits.