Limit timestamp string length (#4382)

dagnir · web-flow · commit a22b527ea985 · 2023-09-01T13:35:30.000-07:00
* Limit timestamp string length

* Add test
diff --git a/utils/src/main/java/software/amazon/awssdk/utils/DateUtils.java b/utils/src/main/java/software/amazon/awssdk/utils/DateUtils.java
@@ -200,6 +200,8 @@ public static Instant parseUnixTimestampInstant(String dateString) throws Number
         if (dateString == null) {
             return null;
         }
+
+        validateTimestampLength(dateString);
         BigDecimal dateValue = new BigDecimal(dateString);
         return Instant.ofEpochMilli(dateValue.scaleByPowerOfTen(MILLI_SECOND_PRECISION).longValue());
     }
@@ -225,4 +227,13 @@ public static String formatUnixTimestampInstant(Instant instant) {
         return dateValue.scaleByPowerOfTen(0 - MILLI_SECOND_PRECISION)
                         .toPlainString();
     }
+
+    private static void validateTimestampLength(String timestamp) {
+        // Helps avoid BigDecimal parsing unnecessarily large numbers, since it's unbounded
+        // Long has a max value of 9,223,372,036,854,775,807, which is 19 digits. Assume that a valid timestamp is no
+        // no longer than 20 characters long (+1 for decimal)
+        if (timestamp.length() > 20) {
+            throw new RuntimeException("Input timestamp string must be no longer than 20 characters");
+        }
+    }
 }
diff --git a/utils/src/test/java/software/amazon/awssdk/utils/DateUtilsTest.java b/utils/src/test/java/software/amazon/awssdk/utils/DateUtilsTest.java
@@ -20,6 +20,7 @@
 import static java.time.format.DateTimeFormatter.ISO_OFFSET_DATE_TIME;
 import static java.time.format.DateTimeFormatter.RFC_1123_DATE_TIME;
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 import static software.amazon.awssdk.utils.DateUtils.ALTERNATE_ISO_8601_DATE_FORMAT;
@@ -39,6 +40,8 @@
 import java.util.Locale;
 import java.util.TimeZone;
 import java.util.concurrent.TimeUnit;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
 import org.junit.Test;
 
 public class DateUtilsTest {
@@ -295,4 +298,12 @@ public void testUnixTimestampRoundtrip() throws Exception {
               });
     }
 
+    @Test
+    public void parseUnixTimestampInstant_longerThan20Char_throws() {
+        String largeNum = Stream.generate(() -> "9").limit(21).collect(Collectors.joining());
+        assertThatThrownBy(() -> DateUtils.parseUnixTimestampInstant(largeNum))
+            .isInstanceOf(RuntimeException.class)
+            .hasMessageContaining("20");
+    }
+
 }

Original file line number	Diff line number	Diff line change
`@@ -200,6 +200,8 @@ public static Instant parseUnixTimestampInstant(String dateString) throws Number`
`200`	`200`	`if (dateString == null) {`
`201`	`201`	`return null;`
`202`	`202`	`}`
	`203`	`+`
	`204`	`+ validateTimestampLength(dateString);`
`203`	`205`	`BigDecimal dateValue = new BigDecimal(dateString);`
`204`	`206`	`return Instant.ofEpochMilli(dateValue.scaleByPowerOfTen(MILLI_SECOND_PRECISION).longValue());`
`205`	`207`	`}`
`@@ -225,4 +227,13 @@ public static String formatUnixTimestampInstant(Instant instant) {`
`225`	`227`	`return dateValue.scaleByPowerOfTen(0 - MILLI_SECOND_PRECISION)`
`226`	`228`	`.toPlainString();`
`227`	`229`	`}`
	`230`	`+`
	`231`	`+ private static void validateTimestampLength(String timestamp) {`
	`232`	`+ // Helps avoid BigDecimal parsing unnecessarily large numbers, since it's unbounded`
	`233`	`+ // Long has a max value of 9,223,372,036,854,775,807, which is 19 digits. Assume that a valid timestamp is no`
	`234`	`+ // no longer than 20 characters long (+1 for decimal)`
	`235`	`+ if (timestamp.length() > 20) {`
	`236`	`+ throw new RuntimeException("Input timestamp string must be no longer than 20 characters");`
	`237`	`+ }`
	`238`	`+ }`
`228`	`239`	`}`