Currently implementations of immutable HashMap
/HashSet
are vulnerable under hash collision based attacks. Also they are selected as default implementations for Map
/Set
and are used widely for some operations with Scala collections underhood: toMap
, toSet
, keySet
, keys
, distinct
, groupBy
, etc.
In 2003, Crosby and Wallach wrote an excellent paper demonstrating a new form of Denial of Service vulnerability against applications by abusing algorithmic complexity in the data structures that they depend on: http://static.usenix.org/event/sec03/tech/full_papers/crosby/crosby_html/
In 2011, Alexander Klink and Julian demonstrated this form of attack against web servers that take attacker-provided HTTP headers and represent them internally as hashtables:
https://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html
In 2018, James Roper opened a security issue against HashMap but it was closed with won't fix
resolution - only mutable version of CollisionProofHashMap
was added for Scala 2.13.x (without backporting to Scala 2.12.x):
Do we have a possibility to fix the problem for Scala 2 or Scala 3?