JSONs ID's getting rounded up or down

RESOLVED INVALID

Status

()

Firefox
Untriaged
RESOLVED INVALID
10 months ago
10 months ago

People

(Reporter: Robert Butacu, Unassigned)

Tracking

55 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

10 months ago
Created attachment 8899423 [details]
mozillabug.PNG

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Build ID: 20170814072924

Steps to reproduce:

Testing my API REST GET method in the Mozilla browser ( using really large numbers like 599515301417369600, which are the IDs).




Actual results:

IDs are getting rounded up or rounded down depending on ID.
Example : 
Mozilla ID: 599515301417369600
Actual ID: 599515301417369595.

Mozilla ID: 5127707187431753000 
Actual ID: 5127707187431752235


Expected results:

I should receive the ACTUAL IDs, not IDs that are rounded up or down.

Comment 1

10 months ago
Pretty clearly not a security bug.

You posted no code so it's hard to comment much more than saying "we can't help you unless you provide more detail, like a testcase or a link to your application where we can reproduce the problem".


However... without any more details, if I had to guess, the problem is that you're representing these IDs as numbers, and in JavaScript, integer numbers start losing precision at some point. This is why you see the rounding. See https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Global_Objects/Number/MAX_SAFE_INTEGER for more details. As an example, taking 2786939033769194000, if you replace the last digits with anything else (e.g. 2786939033769194123) and evaluate it in the web console in the developer tools, you'll see the same rounding. Exactly the same happens in other browsers like Google Chrome, though, because this behaviour is part of the JS spec. You can check for this behaviour by using https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/isSafeInteger .

I can only suggest you find a better representation of unique identifiers for your application (you could use strings, or you could change the IDs so they're not so large).
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 10 months ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.