Skip to content

TOML: check nesting depth (CVE-2023-3894) #398

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Mar 7, 2023
Merged

TOML: check nesting depth (CVE-2023-3894) #398

merged 5 commits into from
Mar 7, 2023

Conversation

@pjfanning
Copy link
Member

@pjfanning pjfanning commented Mar 7, 2023
edited
Loading

  • TOML code has no ReadContext so I'm just tracking depth using an int

@pjfanning pjfanning marked this pull request as draft March 7, 2023 10:45
This was referenced Mar 7, 2023
Closed
Closed
@yawkat
Copy link
Member

yawkat commented Mar 7, 2023

this seems like a better fix than #395. the only thing i'm concerned about is the difference of toml to the other formats. someone using only the streaming apis might set the max stream depth fairly high because they think they cannot run into the data binding issues it exists to avoid. however with toml, the depth limit is critical for streaming as well (since there is no real streaming for toml), not just for binding.

but this is probably not a realistic issue, so this still seems superior.

@yawkat
Copy link
Member

yawkat commented Mar 7, 2023

@pjfanning i dont think the nesting check is necessary? it should be caught by the parser, every start token will have a pollExpected with the corresponding end token

@pjfanning
Copy link
Member Author

pjfanning commented Mar 7, 2023

@yawkat I'll probably remove the check. I just wanted to see if there were any existing tests where the depth misbehaves. I'll leave the check there for the moment but as I say, I'm likely to remove it before merging.

@yawkat
Copy link
Member

yawkat commented Mar 7, 2023

maybe it can be an assert and oss-fuzz can tell us if there's any case where my assumption is violated :)

@pjfanning pjfanning force-pushed the toml-nesting-check branch from 37099a3 to a05e4f3 Compare March 7, 2023 21:41
@pjfanning pjfanning marked this pull request as ready for review March 7, 2023 21:41
@pjfanning pjfanning changed the title [DRAFT] TOML: check nesting depth TOML: check nesting depth Mar 7, 2023
@cowtowncoder
Copy link
Member

cowtowncoder commented Mar 7, 2023

LGTM, but wanted to make sure this is to be merged -- anything else to wait for, change? LMK and I'll merge it to 2.15, master.

@pjfanning
Copy link
Member Author

pjfanning commented Mar 7, 2023

it's ok to merge - I'll follow up with more tests in another PR

@cowtowncoder cowtowncoder merged commit 5dd5f74 into FasterXML:2.15 Mar 7, 2023
@pjfanning pjfanning deleted the toml-nesting-check branch March 7, 2023 23:19
@cowtowncoder
Copy link
Member

cowtowncoder commented Mar 7, 2023

Ok managed to merge to master; was bit hairy but all tests pass so I think that's ok.

@cowtowncoder cowtowncoder changed the title TOML: check nesting depth TOML: check nesting depth (CVE-2023-3894) Oct 31, 2025
cowtowncoder added a commit that referenced this pull request Oct 31, 2025
@cowtowncoder
Add note on #398
a2e4314
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cowtowncoder cowtowncoder cowtowncoder approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pjfanning @yawkat @cowtowncoder