diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs new file mode 100644 index 00000000..aead1172 --- /dev/null +++ b/.git-blame-ignore-revs @@ -0,0 +1,5 @@ +# Scala Steward: Reformat with scalafmt 3.9.9 +424ec59eb4865feb383ca53b4278dfb8b9b6c36c + +# Scala Steward: Reformat with scalafmt 3.10.3 +d8af028d2cd271ab7f3adec9842f07cce86a2ac3 diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml index 4c49c411..a427ec6f 100644 --- a/.github/workflows/CI.yml +++ b/.github/workflows/CI.yml @@ -15,7 +15,7 @@ jobs: docs: ${{ steps.changes.outputs.docs }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 - uses: dorny/paths-filter@v3 id: changes with: @@ -39,7 +39,7 @@ jobs: needs: changes if: ${{ needs.changes.outputs.code == 'true' }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: jcheckstyle run: ./sbt jcheckStyle - name: scalafmtCheckAll @@ -54,12 +54,12 @@ jobs: matrix: java: ['8', '11', '17', '21', '24'] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/checkout@v6 + - uses: actions/setup-java@v5 with: distribution: 'zulu' java-version: ${{ matrix.java }} - - uses: actions/cache@v4 + - uses: actions/cache@v5 with: path: ~/.cache key: ${{ runner.os }}-jdk${{ matrix.java }}-${{ hashFiles('**/*.sbt') }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c3dca7c2..0cec5029 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,13 +11,13 @@ jobs: name: Release runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: fetch-depth: 10000 # Fetch all tags so that sbt-dynver can find the previous release version - run: git fetch --tags -f # Install OpenJDK 8 - - uses: actions/setup-java@v4 + - uses: actions/setup-java@v5 with: # We need to use JDK8 for Android compatibility https://github.com/msgpack/msgpack-java/issues/516 java-version: 8 diff --git a/.github/workflows/snapshot.yml b/.github/workflows/snapshot.yml index 4cc85866..dc0fac1d 100644 --- a/.github/workflows/snapshot.yml +++ b/.github/workflows/snapshot.yml @@ -16,12 +16,12 @@ jobs: name: Publish snapshots runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: fetch-depth: 10000 # Fetch all tags so that sbt-dynver can find the previous release version - run: git fetch --tags - - uses: actions/setup-java@v4 + - uses: actions/setup-java@v5 with: java-version: 11 distribution: adopt diff --git a/.scalafmt.conf b/.scalafmt.conf index e8563baf..d30b0537 100644 --- a/.scalafmt.conf +++ b/.scalafmt.conf @@ -1,4 +1,4 @@ -version = 3.9.8 +version = 3.10.3 project.layout = StandardConvention runner.dialect = scala3 maxColumn = 100 diff --git a/build.sbt b/build.sbt index 135145fd..4d72279e 100644 --- a/build.sbt +++ b/build.sbt @@ -1,11 +1,9 @@ Global / onChangedBuildSource := ReloadOnSourceChanges // For performance testing, ensure each test run one-by-one -Global / concurrentRestrictions := Seq( - Tags.limit(Tags.Test, 1) -) +Global / concurrentRestrictions := Seq(Tags.limit(Tags.Test, 1)) -val AIRFRAME_VERSION = "2025.1.14" +val AIRFRAME_VERSION = "2025.1.22" // Use dynamic snapshot version strings for non tagged versions ThisBuild / dynverSonatypeSnapshots := true @@ -15,37 +13,65 @@ ThisBuild / dynverSeparator := "-" // Publishing metadata ThisBuild / homepage := Some(url("https://msgpack.org/")) ThisBuild / licenses := Seq("Apache-2.0" -> url("http://www.apache.org/licenses/LICENSE-2.0.txt")) -ThisBuild / scmInfo := Some( - ScmInfo( - url("https://github.com/msgpack/msgpack-java"), - "scm:git@github.com:msgpack/msgpack-java.git" +ThisBuild / scmInfo := + Some( + ScmInfo( + url("https://github.com/msgpack/msgpack-java"), + "scm:git@github.com:msgpack/msgpack-java.git" + ) ) -) -ThisBuild / developers := List( - Developer(id = "frsyuki", name = "Sadayuki Furuhashi", email = "frsyuki@users.sourceforge.jp", url = url("https://github.com/frsyuki")), - Developer(id = "muga", name = "Muga Nishizawa", email = "muga.nishizawa@gmail.com", url = url("https://github.com/muga")), - Developer(id = "oza", name = "Tsuyoshi Ozawa", email = "ozawa.tsuyoshi@gmail.com", url = url("https://github.com/oza")), - Developer(id = "komamitsu", name = "Mitsunori Komatsu", email = "komamitsu@gmail.com", url = url("https://github.com/komamitsu")), - Developer(id = "xerial", name = "Taro L. Saito", email = "leo@xerial.org", url = url("https://github.com/xerial")) -) +ThisBuild / developers := + List( + Developer( + id = "frsyuki", + name = "Sadayuki Furuhashi", + email = "frsyuki@users.sourceforge.jp", + url = url("https://github.com/frsyuki") + ), + Developer( + id = "muga", + name = "Muga Nishizawa", + email = "muga.nishizawa@gmail.com", + url = url("https://github.com/muga") + ), + Developer( + id = "oza", + name = "Tsuyoshi Ozawa", + email = "ozawa.tsuyoshi@gmail.com", + url = url("https://github.com/oza") + ), + Developer( + id = "komamitsu", + name = "Mitsunori Komatsu", + email = "komamitsu@gmail.com", + url = url("https://github.com/komamitsu") + ), + Developer( + id = "xerial", + name = "Taro L. Saito", + email = "leo@xerial.org", + url = url("https://github.com/xerial") + ) + ) -val buildSettings = Seq[Setting[_]]( - organization := "org.msgpack", - organizationName := "MessagePack", +val buildSettings = Seq[Setting[?]]( + organization := "org.msgpack", + organizationName := "MessagePack", organizationHomepage := Some(url("http://msgpack.org/")), - description := "MessagePack for Java", - scalaVersion := "3.7.1", - Test / logBuffered := false, + description := "MessagePack for Java", + scalaVersion := "3.7.1", + Test / logBuffered := false, // msgpack-java should be a pure-java library, so remove Scala specific configurations - autoScalaLibrary := false, - crossPaths := false, + autoScalaLibrary := false, + crossPaths := false, publishMavenStyle := true, // JVM options for building scalacOptions ++= Seq("-encoding", "UTF-8", "-deprecation", "-unchecked", "-feature"), Test / javaOptions ++= Seq("-ea"), javacOptions ++= Seq("-source", "1.8", "-target", "1.8"), - Compile / compile / javacOptions ++= Seq("-encoding", "UTF-8", "-Xlint:unchecked", "-Xlint:deprecation"), + Compile / compile / javacOptions ++= + Seq("-encoding", "UTF-8", "-Xlint:unchecked", "-Xlint:deprecation"), // Use lenient validation mode when generating Javadoc (for Java8) doc / javacOptions := { val opts = Seq("-source", "1.8") @@ -58,18 +84,22 @@ val buildSettings = Seq[Setting[_]]( // Add sonatype repository settings publishTo := { val centralSnapshots = "https://central.sonatype.com/repository/maven-snapshots/" - if (isSnapshot.value) Some("central-snapshots" at centralSnapshots) - else localStaging.value + if (isSnapshot.value) + Some("central-snapshots" at centralSnapshots) + else + localStaging.value }, // Style check config: (sbt-jchekcstyle) jcheckStyleConfig := "facebook", // Run jcheckstyle both for main and test codes - Compile / compile := ((Compile / compile) dependsOn (Compile / jcheckStyle)).value, - Test / compile := ((Test / compile) dependsOn (Test / jcheckStyle)).value + Compile / compile := + ((Compile / compile) dependsOn (Compile / jcheckStyle)).value, + Test / compile := + ((Test / compile) dependsOn (Test / jcheckStyle)).value ) -val junitJupiter = "org.junit.jupiter" % "junit-jupiter" % "5.11.4" % "test" -val junitVintage = "org.junit.vintage" % "junit-vintage-engine" % "5.11.4" % "test" +val junitJupiter = "org.junit.jupiter" % "junit-jupiter" % "5.14.1" % "test" +val junitVintage = "org.junit.vintage" % "junit-vintage-engine" % "5.14.1" % "test" // Project settings lazy val root = Project(id = "msgpack-java", base = file(".")) @@ -77,8 +107,8 @@ lazy val root = Project(id = "msgpack-java", base = file(".")) buildSettings, // Do not publish the root project publishArtifact := false, - publish := {}, - publishLocal := {} + publish := {}, + publishLocal := {} ) .aggregate(msgpackCore, msgpackJackson) @@ -86,58 +116,58 @@ lazy val msgpackCore = Project(id = "msgpack-core", base = file("msgpack-core")) .enablePlugins(SbtOsgi) .settings( buildSettings, - description := "Core library of the MessagePack for Java", + description := "Core library of the MessagePack for Java", OsgiKeys.bundleSymbolicName := "org.msgpack.msgpack-core", - OsgiKeys.exportPackage := Seq( - // TODO enumerate used packages automatically - "org.msgpack.core", - "org.msgpack.core.annotations", - "org.msgpack.core.buffer", - "org.msgpack.value", - "org.msgpack.value.impl" - ), + OsgiKeys.exportPackage := + Seq( + // TODO enumerate used packages automatically + "org.msgpack.core", + "org.msgpack.core.annotations", + "org.msgpack.core.buffer", + "org.msgpack.value", + "org.msgpack.value.impl" + ), testFrameworks += new TestFramework("wvlet.airspec.Framework"), - Test / javaOptions ++= Seq( - // --add-opens is not available in JDK8 - "-XX:+IgnoreUnrecognizedVMOptions", - "--add-opens=java.base/java.nio=ALL-UNNAMED", - "--add-opens=java.base/sun.nio.ch=ALL-UNNAMED" - ), + Test / javaOptions ++= + Seq( + // --add-opens is not available in JDK8 + "-XX:+IgnoreUnrecognizedVMOptions", + "--add-opens=java.base/java.nio=ALL-UNNAMED", + "--add-opens=java.base/sun.nio.ch=ALL-UNNAMED" + ), Test / fork := true, - libraryDependencies ++= Seq( - // msgpack-core should have no external dependencies - junitJupiter, - junitVintage, - "org.wvlet.airframe" %% "airframe-json" % AIRFRAME_VERSION % "test", - "org.wvlet.airframe" %% "airspec" % AIRFRAME_VERSION % "test", - // Add property testing support with forAll methods - "org.scalacheck" %% "scalacheck" % "1.18.1" % "test", - // For performance comparison with msgpack v6 - "org.msgpack" % "msgpack" % "0.6.12" % "test", - // For integration test with Akka - "com.typesafe.akka" %% "akka-actor" % "2.6.20" % "test", - "org.scala-lang.modules" %% "scala-collection-compat" % "2.13.0" % "test" - ) + libraryDependencies ++= + Seq( + // msgpack-core should have no external dependencies + junitJupiter, + junitVintage, + "org.wvlet.airframe" %% "airframe-json" % AIRFRAME_VERSION % "test", + "org.wvlet.airframe" %% "airspec" % AIRFRAME_VERSION % "test", + // Add property testing support with forAll methods + "org.scalacheck" %% "scalacheck" % "1.19.0" % "test", + // For performance comparison with msgpack v6 + "org.msgpack" % "msgpack" % "0.6.12" % "test", + // For integration test with Akka + "com.typesafe.akka" %% "akka-actor" % "2.6.20" % "test", + "org.scala-lang.modules" %% "scala-collection-compat" % "2.14.0" % "test" + ) ) -lazy val msgpackJackson = - Project(id = "msgpack-jackson", base = file("msgpack-jackson")) - .enablePlugins(SbtOsgi) - .settings( - buildSettings, - name := "jackson-dataformat-msgpack", - description := "Jackson extension that adds support for MessagePack", - OsgiKeys.bundleSymbolicName := "org.msgpack.msgpack-jackson", - OsgiKeys.exportPackage := Seq( - "org.msgpack.jackson", - "org.msgpack.jackson.dataformat" - ), - libraryDependencies ++= Seq( +lazy val msgpackJackson = Project(id = "msgpack-jackson", base = file("msgpack-jackson")) + .enablePlugins(SbtOsgi) + .settings( + buildSettings, + name := "jackson-dataformat-msgpack", + description := "Jackson extension that adds support for MessagePack", + OsgiKeys.bundleSymbolicName := "org.msgpack.msgpack-jackson", + OsgiKeys.exportPackage := Seq("org.msgpack.jackson", "org.msgpack.jackson.dataformat"), + libraryDependencies ++= + Seq( "com.fasterxml.jackson.core" % "jackson-databind" % "2.18.4", junitJupiter, junitVintage, "org.apache.commons" % "commons-math3" % "3.6.1" % "test" ), - testOptions += Tests.Argument(TestFrameworks.JUnit, "-v") - ) - .dependsOn(msgpackCore) + testOptions += Tests.Argument(TestFrameworks.JUnit, "-v") + ) + .dependsOn(msgpackCore) diff --git a/msgpack-core/src/main/java/org/msgpack/core/MessageUnpacker.java b/msgpack-core/src/main/java/org/msgpack/core/MessageUnpacker.java index 5a9a1a63..5819f6c2 100644 --- a/msgpack-core/src/main/java/org/msgpack/core/MessageUnpacker.java +++ b/msgpack-core/src/main/java/org/msgpack/core/MessageUnpacker.java @@ -26,6 +26,8 @@ import java.io.Closeable; import java.io.IOException; import java.math.BigInteger; +import java.util.ArrayList; +import java.util.List; import java.nio.ByteBuffer; import java.nio.CharBuffer; import java.nio.charset.CharacterCodingException; @@ -150,6 +152,14 @@ public class MessageUnpacker { private static final MessageBuffer EMPTY_BUFFER = MessageBuffer.wrap(new byte[0]); + /** + * Threshold for switching from upfront allocation to gradual allocation. + * Payloads up to this size use efficient upfront allocation. + * Payloads exceeding this size use gradual allocation to detect malicious files + * that declare large payload sizes but contain little actual data. + */ + private static final int GRADUAL_ALLOCATION_THRESHOLD = 64 * 1024 * 1024; // 64 MB + private final boolean allowReadingStringAsBinary; private final boolean allowReadingBinaryAsString; private final CodingErrorAction actionOnMalformedString; @@ -1637,18 +1647,85 @@ public void readPayload(byte[] dst) * This method allocates a new byte array and consumes specified amount of bytes into the byte array. * *

- * This method is equivalent to readPayload(new byte[length]). + * For sizes up to {@link #GRADUAL_ALLOCATION_THRESHOLD}, this method uses efficient upfront allocation. + * For larger sizes, it uses gradual allocation to protect against malicious files that declare + * large payload sizes but contain little actual data. * * @param length number of bytes to be read * @return the new byte array * @throws IOException when underlying input throws IOException + * @throws MessageSizeException when the input ends before the declared size is reached (for large payloads) */ public byte[] readPayload(int length) throws IOException { - byte[] newArray = new byte[length]; - readPayload(newArray); - return newArray; + if (length <= GRADUAL_ALLOCATION_THRESHOLD) { + // Small/moderate size: use efficient upfront allocation + byte[] newArray = new byte[length]; + readPayload(newArray); + return newArray; + } + + // Large declared size: use gradual allocation to protect against malicious files + return readPayloadGradually(length); + } + + /** + * Read payload gradually, allocating memory only as data becomes available. + * This method protects against malicious files that declare large payload sizes + * but contain little actual data. + * + * @param declaredLength the declared payload length + * @return the payload bytes + * @throws IOException when underlying input throws IOException + * @throws MessageSizeException when the input ends before the declared size is reached + */ + private byte[] readPayloadGradually(int declaredLength) + throws IOException + { + List chunks = new ArrayList<>(); + int totalRead = 0; + int remaining = declaredLength; + + while (remaining > 0) { + int bufferRemaining = buffer.size() - position; + if (bufferRemaining == 0) { + // Need more data from input + MessageBuffer next = in.next(); + if (next == null) { + // Input ended before we read the declared size + throw new MessageSizeException( + String.format("Payload declared %,d bytes but input ended after %,d bytes", + declaredLength, totalRead), + declaredLength); + } + totalReadBytes += buffer.size(); + buffer = next; + position = 0; + bufferRemaining = buffer.size(); + } + + int toRead = Math.min(remaining, bufferRemaining); + byte[] chunk = new byte[toRead]; + buffer.getBytes(position, chunk, 0, toRead); + chunks.add(chunk); + totalRead += toRead; + position += toRead; + remaining -= toRead; + } + + // All data verified to exist - combine chunks into result + if (chunks.size() == 1) { + return chunks.get(0); // Common case: single chunk, no copy needed + } + + byte[] result = new byte[declaredLength]; + int offset = 0; + for (byte[] chunk : chunks) { + System.arraycopy(chunk, 0, result, offset, chunk.length); + offset += chunk.length; + } + return result; } /** diff --git a/msgpack-core/src/test/scala/org/msgpack/core/MessagePackSpec.scala b/msgpack-core/src/test/scala/org/msgpack/core/MessagePackSpec.scala index 135c4921..21080f65 100644 --- a/msgpack-core/src/test/scala/org/msgpack/core/MessagePackSpec.scala +++ b/msgpack-core/src/test/scala/org/msgpack/core/MessagePackSpec.scala @@ -16,7 +16,8 @@ package org.msgpack.core import wvlet.log.LogLevel -import wvlet.log.io.{TimeReport, Timer} +import wvlet.log.io.TimeReport +import wvlet.log.io.Timer import java.io.ByteArrayOutputStream diff --git a/msgpack-core/src/test/scala/org/msgpack/core/MessagePackTest.scala b/msgpack-core/src/test/scala/org/msgpack/core/MessagePackTest.scala index b5541393..16236c65 100644 --- a/msgpack-core/src/test/scala/org/msgpack/core/MessagePackTest.scala +++ b/msgpack-core/src/test/scala/org/msgpack/core/MessagePackTest.scala @@ -15,18 +15,23 @@ // package org.msgpack.core -import org.msgpack.core.MessagePack.{Code, PackerConfig, UnpackerConfig} +import org.msgpack.core.MessagePack.Code +import org.msgpack.core.MessagePack.PackerConfig +import org.msgpack.core.MessagePack.UnpackerConfig import org.msgpack.core.MessagePackSpec.toHex -import org.msgpack.value.{Value, Variable} +import org.msgpack.value.Value +import org.msgpack.value.Variable import org.scalacheck.Prop.propBoolean -import org.scalacheck.{Arbitrary, Gen} +import org.scalacheck.Arbitrary +import org.scalacheck.Gen import wvlet.airspec.AirSpec import wvlet.airspec.spi.PropertyCheck import java.io.ByteArrayOutputStream import java.math.BigInteger import java.nio.CharBuffer -import java.nio.charset.{CodingErrorAction, UnmappableCharacterException} +import java.nio.charset.CodingErrorAction +import java.nio.charset.UnmappableCharacterException import java.time.Instant import scala.util.Random diff --git a/msgpack-core/src/test/scala/org/msgpack/core/MessagePackerTest.scala b/msgpack-core/src/test/scala/org/msgpack/core/MessagePackerTest.scala index 7ff5d82e..e31853ab 100644 --- a/msgpack-core/src/test/scala/org/msgpack/core/MessagePackerTest.scala +++ b/msgpack-core/src/test/scala/org/msgpack/core/MessagePackerTest.scala @@ -16,12 +16,16 @@ package org.msgpack.core import org.msgpack.core.MessagePack.PackerConfig -import org.msgpack.core.buffer.{ChannelBufferOutput, OutputStreamBufferOutput} +import org.msgpack.core.buffer.ChannelBufferOutput +import org.msgpack.core.buffer.OutputStreamBufferOutput import org.msgpack.value.ValueFactory import wvlet.airspec.AirSpec import wvlet.log.io.IOUtil.withResource -import java.io.{ByteArrayOutputStream, File, FileInputStream, FileOutputStream} +import java.io.ByteArrayOutputStream +import java.io.File +import java.io.FileInputStream +import java.io.FileOutputStream import scala.util.Random /** diff --git a/msgpack-core/src/test/scala/org/msgpack/core/MessageUnpackerTest.scala b/msgpack-core/src/test/scala/org/msgpack/core/MessageUnpackerTest.scala index adab4708..bf43591a 100644 --- a/msgpack-core/src/test/scala/org/msgpack/core/MessageUnpackerTest.scala +++ b/msgpack-core/src/test/scala/org/msgpack/core/MessageUnpackerTest.scala @@ -15,7 +15,8 @@ // package org.msgpack.core -import org.msgpack.core.MessagePackSpec.{createMessagePackData, toHex} +import org.msgpack.core.MessagePackSpec.createMessagePackData +import org.msgpack.core.MessagePackSpec.toHex import org.msgpack.core.buffer.* import org.msgpack.value.ValueType import wvlet.airspec.AirSpec @@ -67,8 +68,8 @@ class MessageUnpackerTest extends AirSpec with Benchmark: private val intSeq = ( - for (i <- 0 until 100) - yield Random.nextInt() + for i <- 0 until 100 + yield Random.nextInt() ).toArray[Int] private def testData2: Array[Byte] = diff --git a/msgpack-core/src/test/scala/org/msgpack/core/PayloadSizeLimitTest.scala b/msgpack-core/src/test/scala/org/msgpack/core/PayloadSizeLimitTest.scala new file mode 100644 index 00000000..7f454c85 --- /dev/null +++ b/msgpack-core/src/test/scala/org/msgpack/core/PayloadSizeLimitTest.scala @@ -0,0 +1,116 @@ +package org.msgpack.core + +import wvlet.airspec.AirSpec + +import java.nio.ByteBuffer + +class PayloadSizeLimitTest extends AirSpec: + + test("detects malicious EXT32 file with huge declared size but tiny actual data") { + // Craft a malicious EXT32 header: + // 0xC9 = EXT32 format + // 4 bytes = declared length (100MB, which exceeds 64MB threshold) + // 1 byte = extension type + // followed by only 1 byte of actual data (not 100MB) + val declaredLength = 100 * 1024 * 1024 // 100 MB + val buffer = ByteBuffer.allocate(7) // header(1) + length(4) + type(1) + data(1) + buffer.put(0xc9.toByte) // EXT32 format code + buffer.putInt(declaredLength) // declared length (big-endian) + buffer.put(0x01.toByte) // extension type + buffer.put(0x41.toByte) // only 1 byte of actual data + val maliciousData = buffer.array() + + val unpacker = MessagePack.newDefaultUnpacker(maliciousData) + + // Should throw MessageSizeException because the declared size exceeds actual data + intercept[MessageSizeException] { + unpacker.unpackValue() + } + } + + test("detects malicious BIN32 file with huge declared size but tiny actual data") { + // Craft a malicious BIN32 header: + // 0xC6 = BIN32 format + // 4 bytes = declared length (100MB, which exceeds 64MB threshold) + // followed by only 1 byte of actual data (not 100MB) + val declaredLength = 100 * 1024 * 1024 // 100 MB + val buffer = ByteBuffer.allocate(6) // header(1) + length(4) + data(1) + buffer.put(0xc6.toByte) // BIN32 format code + buffer.putInt(declaredLength) // declared length (big-endian) + buffer.put(0x41.toByte) // only 1 byte of actual data + val maliciousData = buffer.array() + + val unpacker = MessagePack.newDefaultUnpacker(maliciousData) + + // Should throw MessageSizeException because the declared size exceeds actual data + intercept[MessageSizeException] { + unpacker.unpackValue() + } + } + + test("legitimate extension data works correctly") { + val packer = MessagePack.newDefaultBufferPacker() + val testData = Array.fill[Byte](1000)(0x42) + packer.packExtensionTypeHeader(0x01.toByte, testData.length) + packer.writePayload(testData) + val msgpack = packer.toByteArray + + val unpacker = MessagePack.newDefaultUnpacker(msgpack) + val value = unpacker.unpackValue() + + assert(value.isExtensionValue) + assert(value.asExtensionValue().getData.length == 1000) + } + + test("legitimate binary data works correctly") { + val packer = MessagePack.newDefaultBufferPacker() + val testData = Array.fill[Byte](1000)(0x42) + packer.packBinaryHeader(testData.length) + packer.writePayload(testData) + val msgpack = packer.toByteArray + + val unpacker = MessagePack.newDefaultUnpacker(msgpack) + val value = unpacker.unpackValue() + + assert(value.isBinaryValue) + assert(value.asBinaryValue().asByteArray().length == 1000) + } + + test("readPayload directly with malicious size throws exception") { + // Test readPayload(int) directly with a malicious input + val declaredLength = 100 * 1024 * 1024 // 100 MB + val buffer = ByteBuffer.allocate(6) // header(1) + length(4) + data(1) + buffer.put(0xc6.toByte) // BIN32 format code + buffer.putInt(declaredLength) // declared length (big-endian) + buffer.put(0x41.toByte) // only 1 byte of actual data + val maliciousData = buffer.array() + + val unpacker = MessagePack.newDefaultUnpacker(maliciousData) + + // First, unpack the binary header to get the declared length + val len = unpacker.unpackBinaryHeader() + assert(len == declaredLength) + + // Then try to read the payload - should throw exception + intercept[MessageSizeException] { + unpacker.readPayload(len) + } + } + + test("small payloads under threshold work with upfront allocation") { + // Payloads under 64MB should use the efficient upfront allocation path + val packer = MessagePack.newDefaultBufferPacker() + val testData = Array.fill[Byte](10000)(0x42) // 10KB, well under threshold + packer.packBinaryHeader(testData.length) + packer.writePayload(testData) + val msgpack = packer.toByteArray + + val unpacker = MessagePack.newDefaultUnpacker(msgpack) + val len = unpacker.unpackBinaryHeader() + val payload = unpacker.readPayload(len) + + assert(payload.length == 10000) + assert(payload.forall(_ == 0x42.toByte)) + } + +end PayloadSizeLimitTest diff --git a/msgpack-core/src/test/scala/org/msgpack/core/buffer/MessageBufferInputTest.scala b/msgpack-core/src/test/scala/org/msgpack/core/buffer/MessageBufferInputTest.scala index 5e6c1f96..0465aa69 100644 --- a/msgpack-core/src/test/scala/org/msgpack/core/buffer/MessageBufferInputTest.scala +++ b/msgpack-core/src/test/scala/org/msgpack/core/buffer/MessageBufferInputTest.scala @@ -22,9 +22,13 @@ import wvlet.log.io.IOUtil.withResource import java.io.* import java.net.InetSocketAddress import java.nio.ByteBuffer -import java.nio.channels.{ServerSocketChannel, SocketChannel} -import java.util.concurrent.{Callable, Executors, TimeUnit} -import java.util.zip.{GZIPInputStream, GZIPOutputStream} +import java.nio.channels.ServerSocketChannel +import java.nio.channels.SocketChannel +import java.util.concurrent.Callable +import java.util.concurrent.Executors +import java.util.concurrent.TimeUnit +import java.util.zip.GZIPInputStream +import java.util.zip.GZIPOutputStream import scala.util.Random class MessageBufferInputTest extends AirSpec: diff --git a/msgpack-core/src/test/scala/org/msgpack/value/ValueTypeTest.scala b/msgpack-core/src/test/scala/org/msgpack/value/ValueTypeTest.scala index 7b992f28..53707c99 100644 --- a/msgpack-core/src/test/scala/org/msgpack/value/ValueTypeTest.scala +++ b/msgpack-core/src/test/scala/org/msgpack/value/ValueTypeTest.scala @@ -16,7 +16,8 @@ package org.msgpack.value import org.msgpack.core.MessagePack.Code.* -import org.msgpack.core.{MessageFormat, MessageFormatException} +import org.msgpack.core.MessageFormat +import org.msgpack.core.MessageFormatException import wvlet.airspec.AirSpec /** diff --git a/msgpack-core/src/test/scala/org/msgpack/value/VariableTest.scala b/msgpack-core/src/test/scala/org/msgpack/value/VariableTest.scala index 2f3cbf9c..d4754e83 100644 --- a/msgpack-core/src/test/scala/org/msgpack/value/VariableTest.scala +++ b/msgpack-core/src/test/scala/org/msgpack/value/VariableTest.scala @@ -15,7 +15,9 @@ // package org.msgpack.value -import org.msgpack.core.{MessagePack, MessagePacker, MessageTypeCastException} +import org.msgpack.core.MessagePack +import org.msgpack.core.MessagePacker +import org.msgpack.core.MessageTypeCastException import wvlet.airspec.AirSpec import wvlet.airspec.spi.PropertyCheck diff --git a/project/build.properties b/project/build.properties index 138bc7a5..b1b10405 100755 --- a/project/build.properties +++ b/project/build.properties @@ -1,2 +1,2 @@ -sbt.version=1.11.3 +sbt.version=1.11.7 diff --git a/project/plugins.sbt b/project/plugins.sbt index 5bc49937..a7594c7a 100644 --- a/project/plugins.sbt +++ b/project/plugins.sbt @@ -1,10 +1,10 @@ -addSbtPlugin("com.github.sbt" % "sbt-pgp" % "2.3.1") +addSbtPlugin("com.github.sbt" % "sbt-pgp" % "2.3.1") // TODO: Fixes jacoco error: // java.lang.NoClassDefFoundError: Could not initialize class org.jacoco.core.internal.flow.ClassProbesAdapter //addSbtPlugin("com.github.sbt" % "sbt-jacoco" % "3.3.0") -addSbtPlugin("org.xerial.sbt" % "sbt-jcheckstyle" % "0.2.1") +addSbtPlugin("org.xerial.sbt" % "sbt-jcheckstyle" % "0.2.1") addSbtPlugin("com.github.sbt" % "sbt-osgi" % "0.10.0") -addSbtPlugin("org.scalameta" % "sbt-scalafmt" % "2.5.5") -addSbtPlugin("com.github.sbt" % "sbt-dynver" % "5.1.1") +addSbtPlugin("org.scalameta" % "sbt-scalafmt" % "2.5.6") +addSbtPlugin("com.github.sbt" % "sbt-dynver" % "5.1.1") scalacOptions ++= Seq("-deprecation", "-feature")