Handle number overflow during parsing of min/max values

Robulane · Robulane · commit 4bc07e32ac33 · 2023-11-22T16:30:02.000+01:00
diff --git a/src/Microsoft.OpenApi.Readers/ParseNodes/ParserHelper.cs b/src/Microsoft.OpenApi.Readers/ParseNodes/ParserHelper.cs
@@ -0,0 +1,35 @@
+﻿// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT license.
+
+using System;
+using System.Globalization;
+
+namespace Microsoft.OpenApi.Readers.ParseNodes
+{
+    /// <summary>
+    /// Useful tools to parse data
+    /// </summary>
+    internal class ParserHelper
+    {
+        /// <summary>
+        /// Parses decimal in invariant culture.
+        /// If the decimal is too big or small, it returns the default value
+        /// 
+        /// Note: sometimes developers put Double.MaxValue or Long.MaxValue as min/max values for numbers in json schema even if their numbers are not expected to be that big/small.
+        /// As we have already released the library with Decimal type for Max/Min, let's not introduce the breaking change and just fallback to Decimal.Max / Min. This should satisfy almost every scenario.
+        /// We can revisit this if somebody really needs to have double or long here.
+        /// </summary>
+        /// <returns></returns>
+        public static decimal ParseDecimalWithFallbackOnOverflow(string value, decimal defaultValue)
+        {
+            try
+            {
+                return decimal.Parse(value, NumberStyles.Float, CultureInfo.InvariantCulture);
+            }
+            catch (OverflowException)
+            {
+                return defaultValue;
+            }
+        }
+    }
+}
diff --git a/src/Microsoft.OpenApi.Readers/V2/OpenApiHeaderDeserializer.cs b/src/Microsoft.OpenApi.Readers/V2/OpenApiHeaderDeserializer.cs
@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+﻿// Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT license.
 
 using System;
@@ -44,15 +44,15 @@ internal static partial class OpenApiV2Deserializer
             },
             {
                 "maximum",
-                (o, n) => GetOrCreateSchema(o).Maximum = decimal.Parse(n.GetScalarValue(), CultureInfo.InvariantCulture)
+                (o, n) => GetOrCreateSchema(o).Maximum = ParserHelper.ParseDecimalWithFallbackOnOverflow(n.GetScalarValue(), decimal.MaxValue)
             },
             {
                 "exclusiveMaximum",
                 (o, n) => GetOrCreateSchema(o).ExclusiveMaximum = bool.Parse(n.GetScalarValue())
             },
             {
                 "minimum",
-                (o, n) => GetOrCreateSchema(o).Minimum = decimal.Parse(n.GetScalarValue(), CultureInfo.InvariantCulture)
+                (o, n) => GetOrCreateSchema(o).Minimum = ParserHelper.ParseDecimalWithFallbackOnOverflow(n.GetScalarValue(), decimal.MinValue)
             },
             {
                 "exclusiveMinimum",
diff --git a/src/Microsoft.OpenApi.Readers/V2/OpenApiParameterDeserializer.cs b/src/Microsoft.OpenApi.Readers/V2/OpenApiParameterDeserializer.cs
@@ -61,11 +61,11 @@ internal static partial class OpenApiV2Deserializer
                 },
                 {
                     "minimum",
-                    (o, n) => GetOrCreateSchema(o).Minimum = decimal.Parse(n.GetScalarValue(), CultureInfo.InvariantCulture)
+                    (o, n) => GetOrCreateSchema(o).Minimum = ParserHelper.ParseDecimalWithFallbackOnOverflow(n.GetScalarValue(), decimal.MinValue)
                 },
                 {
                     "maximum",
-                    (o, n) => GetOrCreateSchema(o).Maximum = decimal.Parse(n.GetScalarValue(), CultureInfo.InvariantCulture)
+                    (o, n) => GetOrCreateSchema(o).Maximum = ParserHelper.ParseDecimalWithFallbackOnOverflow(n.GetScalarValue(), decimal.MaxValue)
                 },
                 {
                     "maxLength",
diff --git a/src/Microsoft.OpenApi.Readers/V2/OpenApiSchemaDeserializer.cs b/src/Microsoft.OpenApi.Readers/V2/OpenApiSchemaDeserializer.cs
@@ -27,15 +27,15 @@ internal static partial class OpenApiV2Deserializer
             },
             {
                 "maximum",
-                (o, n) => o.Maximum = decimal.Parse(n.GetScalarValue(), NumberStyles.Float, CultureInfo.InvariantCulture)
+                (o, n) => o.Maximum = ParserHelper.ParseDecimalWithFallbackOnOverflow(n.GetScalarValue(), decimal.MaxValue)
             },
             {
                 "exclusiveMaximum",
                 (o, n) => o.ExclusiveMaximum = bool.Parse(n.GetScalarValue())
             },
             {
                 "minimum",
-                (o, n) => o.Minimum = decimal.Parse(n.GetScalarValue(), NumberStyles.Float, CultureInfo.InvariantCulture)
+                (o, n) => o.Minimum = ParserHelper.ParseDecimalWithFallbackOnOverflow(n.GetScalarValue(), decimal.MinValue)
             },
             {
                 "exclusiveMinimum",
diff --git a/src/Microsoft.OpenApi.Readers/V3/OpenApiSchemaDeserializer.cs b/src/Microsoft.OpenApi.Readers/V3/OpenApiSchemaDeserializer.cs
@@ -27,15 +27,15 @@ internal static partial class OpenApiV3Deserializer
             },
             {
                 "maximum",
-                (o, n) => o.Maximum = decimal.Parse(n.GetScalarValue(), NumberStyles.Float, CultureInfo.InvariantCulture)
+                (o, n) => o.Maximum = ParserHelper.ParseDecimalWithFallbackOnOverflow(n.GetScalarValue(), decimal.MaxValue)
             },
             {
                 "exclusiveMaximum",
                 (o, n) => o.ExclusiveMaximum = bool.Parse(n.GetScalarValue())
             },
             {
                 "minimum",
-                (o, n) => o.Minimum = decimal.Parse(n.GetScalarValue(), NumberStyles.Float, CultureInfo.InvariantCulture)
+                (o, n) => o.Minimum = ParserHelper.ParseDecimalWithFallbackOnOverflow(n.GetScalarValue(), decimal.MinValue)
             },
             {
                 "exclusiveMinimum",
diff --git a/test/Microsoft.OpenApi.Readers.Tests/ParseNodes/ParserHelperTests.cs b/test/Microsoft.OpenApi.Readers.Tests/ParseNodes/ParserHelperTests.cs
@@ -0,0 +1,24 @@
+﻿// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT license.
+
+using Microsoft.OpenApi.Readers.ParseNodes;
+using Xunit;
+
+namespace Microsoft.OpenApi.Readers.Tests.ParseNodes
+{
+    [Collection("DefaultSettings")]
+    public class ParserHelperTests
+    {
+        [Fact]
+        public void ParseDecimalWithFallbackOnOverflow_ReturnsParsedValue()
+        {
+            Assert.Equal(23434, ParserHelper.ParseDecimalWithFallbackOnOverflow("23434", 10));
+        }
+
+        [Fact]
+        public void ParseDecimalWithFallbackOnOverflow_Overflows_ReturnsFallback()
+        {
+            Assert.Equal(10, ParserHelper.ParseDecimalWithFallbackOnOverflow(double.MaxValue.ToString(), 10));
+        }
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-// Copyright (c) Microsoft Corporation. All rights reserved.`
	`1`	`+// Copyright (c) Microsoft Corporation. All rights reserved.`
`2`	`2`	`// Licensed under the MIT license.`
`3`	`3`
`4`	`4`	`using System;`
`@@ -44,15 +44,15 @@ internal static partial class OpenApiV2Deserializer`
`44`	`44`	`},`
`45`	`45`	`{`
`46`	`46`	`"maximum",`
`47`		`- (o, n) => GetOrCreateSchema(o).Maximum = decimal.Parse(n.GetScalarValue(), CultureInfo.InvariantCulture)`
	`47`	`+ (o, n) => GetOrCreateSchema(o).Maximum = ParserHelper.ParseDecimalWithFallbackOnOverflow(n.GetScalarValue(), decimal.MaxValue)`
`48`	`48`	`},`
`49`	`49`	`{`
`50`	`50`	`"exclusiveMaximum",`
`51`	`51`	`(o, n) => GetOrCreateSchema(o).ExclusiveMaximum = bool.Parse(n.GetScalarValue())`
`52`	`52`	`},`
`53`	`53`	`{`
`54`	`54`	`"minimum",`
`55`		`- (o, n) => GetOrCreateSchema(o).Minimum = decimal.Parse(n.GetScalarValue(), CultureInfo.InvariantCulture)`
	`55`	`+ (o, n) => GetOrCreateSchema(o).Minimum = ParserHelper.ParseDecimalWithFallbackOnOverflow(n.GetScalarValue(), decimal.MinValue)`
`56`	`56`	`},`
`57`	`57`	`{`
`58`	`58`	`"exclusiveMinimum",`
Original file line number	Diff line number	Diff line change
`@@ -61,11 +61,11 @@ internal static partial class OpenApiV2Deserializer`
`61`	`61`	`},`
`62`	`62`	`{`
`63`	`63`	`"minimum",`
`64`		`- (o, n) => GetOrCreateSchema(o).Minimum = decimal.Parse(n.GetScalarValue(), CultureInfo.InvariantCulture)`
	`64`	`+ (o, n) => GetOrCreateSchema(o).Minimum = ParserHelper.ParseDecimalWithFallbackOnOverflow(n.GetScalarValue(), decimal.MinValue)`
`65`	`65`	`},`
`66`	`66`	`{`
`67`	`67`	`"maximum",`
`68`		`- (o, n) => GetOrCreateSchema(o).Maximum = decimal.Parse(n.GetScalarValue(), CultureInfo.InvariantCulture)`
	`68`	`+ (o, n) => GetOrCreateSchema(o).Maximum = ParserHelper.ParseDecimalWithFallbackOnOverflow(n.GetScalarValue(), decimal.MaxValue)`
`69`	`69`	`},`
`70`	`70`	`{`
`71`	`71`	`"maxLength",`
Original file line number	Diff line number	Diff line change
`@@ -27,15 +27,15 @@ internal static partial class OpenApiV2Deserializer`
`27`	`27`	`},`
`28`	`28`	`{`
`29`	`29`	`"maximum",`
`30`		`- (o, n) => o.Maximum = decimal.Parse(n.GetScalarValue(), NumberStyles.Float, CultureInfo.InvariantCulture)`
	`30`	`+ (o, n) => o.Maximum = ParserHelper.ParseDecimalWithFallbackOnOverflow(n.GetScalarValue(), decimal.MaxValue)`
`31`	`31`	`},`
`32`	`32`	`{`
`33`	`33`	`"exclusiveMaximum",`
`34`	`34`	`(o, n) => o.ExclusiveMaximum = bool.Parse(n.GetScalarValue())`
`35`	`35`	`},`
`36`	`36`	`{`
`37`	`37`	`"minimum",`
`38`		`- (o, n) => o.Minimum = decimal.Parse(n.GetScalarValue(), NumberStyles.Float, CultureInfo.InvariantCulture)`
	`38`	`+ (o, n) => o.Minimum = ParserHelper.ParseDecimalWithFallbackOnOverflow(n.GetScalarValue(), decimal.MinValue)`
`39`	`39`	`},`
`40`	`40`	`{`
`41`	`41`	`"exclusiveMinimum",`