mirror of
https://github.com/protocolbuffers/protobuf-go.git
synced 2025-01-30 03:32:49 +00:00
3992ea83a2
+ This change introduce a default and configurable depth limit for proto.Unmarshal. If a message is nested deeper than the limit, unmarshaling will fail. There are two ways to nest messages. Either by having fields which are message types itself or by using groups. + The default limit is 10,000 for now. This might change in the future to align it with other language implementation (C++ and Java use 100 as limit). + If pure groups (groups that don't contain message fields) are nested deeper than the default limit the unmarshaling fails with: proto: cannot parse invalid wire-format data + Note: the configured limit does not apply to pure groups. + This change is introduced to improve security and robustness. Because unmarshaling is implemented using recursion it can lead to stack overflows for certain inputs. The introduced limit protects against this. + A secondary motivation for this limit is the alignment with other languages. Protocol buffers are a language interoperability mechanism and thus either all implementations should accept the input or all implementation should reject the input. Change-Id: I14bdb44d06e4bd1aa90d6336c2cf6446003b2037 Reviewed-on: https://go-review.googlesource.com/c/protobuf/+/385854 Trust: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Damien Neil <dneil@google.com> Trust: Damien Neil <dneil@google.com> Reviewed-by: Nicolas Hillegeer <aktau@google.com> Reviewed-by: Chressie Himpel <chressie@google.com>
79 lines
1.9 KiB
Go
79 lines
1.9 KiB
Go
// Copyright 2020 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package protoreflect
|
|
|
|
import (
|
|
"google.golang.org/protobuf/internal/pragma"
|
|
)
|
|
|
|
// The following types are used by the fast-path Message.ProtoMethods method.
|
|
//
|
|
// To avoid polluting the public protoreflect API with types used only by
|
|
// low-level implementations, the canonical definitions of these types are
|
|
// in the runtime/protoiface package. The definitions here and in protoiface
|
|
// must be kept in sync.
|
|
type (
|
|
methods = struct {
|
|
pragma.NoUnkeyedLiterals
|
|
Flags supportFlags
|
|
Size func(sizeInput) sizeOutput
|
|
Marshal func(marshalInput) (marshalOutput, error)
|
|
Unmarshal func(unmarshalInput) (unmarshalOutput, error)
|
|
Merge func(mergeInput) mergeOutput
|
|
CheckInitialized func(checkInitializedInput) (checkInitializedOutput, error)
|
|
}
|
|
supportFlags = uint64
|
|
sizeInput = struct {
|
|
pragma.NoUnkeyedLiterals
|
|
Message Message
|
|
Flags uint8
|
|
}
|
|
sizeOutput = struct {
|
|
pragma.NoUnkeyedLiterals
|
|
Size int
|
|
}
|
|
marshalInput = struct {
|
|
pragma.NoUnkeyedLiterals
|
|
Message Message
|
|
Buf []byte
|
|
Flags uint8
|
|
}
|
|
marshalOutput = struct {
|
|
pragma.NoUnkeyedLiterals
|
|
Buf []byte
|
|
}
|
|
unmarshalInput = struct {
|
|
pragma.NoUnkeyedLiterals
|
|
Message Message
|
|
Buf []byte
|
|
Flags uint8
|
|
Resolver interface {
|
|
FindExtensionByName(field FullName) (ExtensionType, error)
|
|
FindExtensionByNumber(message FullName, field FieldNumber) (ExtensionType, error)
|
|
}
|
|
Depth int
|
|
}
|
|
unmarshalOutput = struct {
|
|
pragma.NoUnkeyedLiterals
|
|
Flags uint8
|
|
}
|
|
mergeInput = struct {
|
|
pragma.NoUnkeyedLiterals
|
|
Source Message
|
|
Destination Message
|
|
}
|
|
mergeOutput = struct {
|
|
pragma.NoUnkeyedLiterals
|
|
Flags uint8
|
|
}
|
|
checkInitializedInput = struct {
|
|
pragma.NoUnkeyedLiterals
|
|
Message Message
|
|
}
|
|
checkInitializedOutput = struct {
|
|
pragma.NoUnkeyedLiterals
|
|
}
|
|
)
|