ruma icon indicating copy to clipboard operation
ruma copied to clipboard

Published 20 hours ago verified publisher icon ruma

`serde_json::error::` `RecursionLimitExceeded` exists

Open ShadowJonathan opened this issue 4 years ago • 5 comments

At https://github.com/serde-rs/json/blob/7ca63e7d5acac348db55c4345cb199f9d658669f/src/error.rs#L240-L241;

    /// Encountered nesting of JSON maps and arrays more than 128 layers deep.
    RecursionLimitExceeded,

I feel this is possible to encounter in the wild in matrix, unintentional or not, so ruma should be able to handle this sorta thing, i'd guess.

ShadowJonathan avatar Apr 14 '21 07:04 ShadowJonathan

I don't really know what we could do about this 😕

jplatte avatar Apr 14 '21 15:04 jplatte

I wonder whether Synapse / the Python lib it uses has similar limitations. One could try creating a test room and posting a custom event with a content like { "foo": [[[[[[[[[[[[<500 more pairs of brackets>]]]]]]]]]]]] }.

jplatte avatar May 08 '21 16:05 jplatte

serde_json has a feature flag called unbounded_depth that can be used to disable this limitation, but at least for homeservers that would open a super simple DOS attack vector.

jplatte avatar May 27 '21 18:05 jplatte

Maybe we can provide the same feature flag as well? And then add it to any crate that uses serde, it'll be off by default, though for any homeserver or application that needs to enable it, it's there.

ShadowJonathan avatar May 28 '21 07:05 ShadowJonathan

ref: https://github.com/serde-rs/json/pull/613

Noteworthy is the reference to https://source.chromium.org/gn/gn/+/master:src/base/json/json_reader.cc;l=18?q=kStackMaxDepth, which would at least be applicable for the CS API.

lieuwex avatar Jun 04 '21 19:06 lieuwex