Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JS-185 Deeply nested ASTs should be de-serialized correctly #4762

Merged
merged 2 commits into from
Jul 29, 2024

Conversation

quentin-jaquier-sonarsource
Copy link
Contributor

@quentin-jaquier-sonarsource quentin-jaquier-sonarsource commented Jul 26, 2024

No description provided.

* It makes sense as a general default limit for protobuf users, but in our case, we are producing the input ourselves,
* and even if users are controlling the code, it is not a new security risk, as any analyzer would have to deal with the same limit.
*/
private static final int PROTOBUF_RECURSION_LIMIT = 300;
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The onion benchmark worst case hits 90 layers (180 in terms of Protobuf messages).
Knowing that it is already "fake" code, I feel that if user-defined code ever hits 300, it is fair to not even try to do anything with it...

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, not limit will stop us 🚀
made one small nitpick comment, feel free to ignore it.

…/bridge/FormDataUtils.java

Co-authored-by: Renaud T. <125455319+renaud-tognelli-sonarsource@users.noreply.github.com>
@quentin-jaquier-sonarsource quentin-jaquier-sonarsource merged commit 32fb6e3 into master Jul 29, 2024
15 of 16 checks passed
@quentin-jaquier-sonarsource quentin-jaquier-sonarsource deleted the qj/JS-185 branch July 29, 2024 16:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants