SL-19707 - maximum parse depth is now 200

roxanneskelly · roxanneskelly · commit 78601c000c51 · 2023-07-07T19:00:51.000Z
diff --git a/llsd/base.py b/llsd/base.py
@@ -32,6 +32,8 @@
 ALL_CHARS = str(bytearray(range(256))) if PY2 else bytes(range(256))
 
 MAX_FORMAT_DEPTH = 200
+MAX_PARSE_DEPTH = 200
+
 class _LLSD:
     __metaclass__ = abc.ABCMeta
 
@@ -209,7 +211,7 @@ def _parse_datestr(datestr):
     return datetime.datetime(year, month, day, hour, minute, second, usec)
 
 
-def _bool_to_python(node):
+def _bool_to_python(node, depth=0):
     "Convert boolean node to a python object."
     val = node.text or ''
     try:
@@ -220,35 +222,35 @@ def _bool_to_python(node):
        return bool(val)
 
 
-def _int_to_python(node):
+def _int_to_python(node, depth=0):
     "Convert integer node to a python object."
     val = node.text or ''
     if not val.strip():
         return 0
     return int(val)
 
 
-def _real_to_python(node):
+def _real_to_python(node, depth=0):
     "Convert floating point node to a python object."
     val = node.text or ''
     if not val.strip():
         return 0.0
     return float(val)
 
 
-def _uuid_to_python(node):
+def _uuid_to_python(node, depth=0):
     "Convert uuid node to a python object."
     if node.text:
         return uuid.UUID(hex=node.text)
     return uuid.UUID(int=0)
 
 
-def _str_to_python(node):
+def _str_to_python(node, depth=0):
     "Convert string node to a python object."
     return node.text or ''
 
 
-def _bin_to_python(node):
+def _bin_to_python(node, depth=0):
     base = node.get('encoding') or 'base64'
     try:
         if base == 'base16':
@@ -267,38 +269,38 @@ def _bin_to_python(node):
         return LLSDParseError("Bad binary data: " + str(exc))
 
 
-def _date_to_python(node):
+def _date_to_python(node, depth=0):
     "Convert date node to a python object."
     val = node.text or ''
     if not val:
         val = "1970-01-01T00:00:00Z"
     return _parse_datestr(val)
 
 
-def _uri_to_python(node):
+def _uri_to_python(node, depth=0):
     "Convert uri node to a python object."
     val = node.text or ''
     return uri(val)
 
 
-def _map_to_python(node):
+def _map_to_python(node, depth=0):
     "Convert map node to a python object."
     result = {}
     for index in range(len(node))[::2]:
         if node[index].text is None:
-            result[''] = _to_python(node[index+1])
+            result[''] = _to_python(node[index+1], depth+1)
         else:
-            result[node[index].text] = _to_python(node[index+1])
+            result[node[index].text] = _to_python(node[index+1], depth+1)
     return result
 
 
-def _array_to_python(node):
+def _array_to_python(node, depth=0):
     "Convert array node to a python object."
-    return [_to_python(child) for child in node]
+    return [_to_python(child, depth+1) for child in node]
 
 
 NODE_HANDLERS = dict(
-    undef=lambda x: None,
+    undef=lambda x,y: None,
     boolean=_bool_to_python,
     integer=_int_to_python,
     real=_real_to_python,
@@ -312,9 +314,12 @@ def _array_to_python(node):
 )
 
 
-def _to_python(node):
+def _to_python(node, depth=0):
     "Convert node to a python object."
-    return NODE_HANDLERS[node.tag](node)
+    if depth > MAX_PARSE_DEPTH:
+        raise LLSDParseError("Cannot serialize depth of more than %d" % MAX_FORMAT_DEPTH)
+
+    return NODE_HANDLERS[node.tag](node, depth)
 
 
 class LLSDBaseFormatter(object):
diff --git a/llsd/serde_binary.py b/llsd/serde_binary.py
@@ -5,7 +5,7 @@
 import uuid
 
 from llsd.base import (_LLSD, LLSDBaseParser, LLSDSerializationError, BINARY_HEADER,
-                       MAX_FORMAT_DEPTH,_str_to_bytes, binary, is_integer, is_string, uri)
+                       MAX_FORMAT_DEPTH, MAX_PARSE_DEPTH, _str_to_bytes, binary, is_integer, is_string, uri)
 
 
 try:
@@ -21,7 +21,7 @@ class LLSDBinaryParser(LLSDBaseParser):
 
     See http://wiki.secondlife.com/wiki/LLSD#Binary_Serialization
     """
-    __slots__ = ['_dispatch', '_keep_binary']
+    __slots__ = ['_dispatch', '_keep_binary', '_depth']
 
     def __init__(self):
         super(LLSDBinaryParser, self).__init__()
@@ -62,6 +62,7 @@ def __init__(self):
         # entries in _dispatch.
         for c, func in _dispatch_dict.items():
             self._dispatch[ord(c)] = func
+        self._depth = 0
 
     def parse(self, something, ignore_binary = False):
         """
@@ -81,6 +82,9 @@ def parse(self, something, ignore_binary = False):
 
     def _parse(self):
         "The actual parser which is called recursively when necessary."
+        if self._depth > MAX_PARSE_DEPTH:
+            self._error("Parse depth exceeded max.")
+
         cc = self._getc()
         try:
             func = self._dispatch[ord(cc)]
@@ -96,6 +100,7 @@ def _parse_map(self):
         count = 0
         cc = self._getc()
         key = b''
+        self._depth = self._depth + 1
         while (cc != b'}') and (count < size):
             if cc == b'k':
                 key = self._parse_string()
@@ -109,16 +114,19 @@ def _parse_map(self):
             cc = self._getc()
         if cc != b'}':
             self._error("invalid map close token")
+        self._depth = self._depth - 1
         return rv
 
     def _parse_array(self):
         "Parse a single llsd array"
         rv = []
+        self._depth = self._depth + 1
         size = struct.unpack("!i", self._getc(4))[0]
         for count in range(size):
             rv.append(self._parse())
         if self._getc() != b']':
             self._error("invalid array close token")
+        self._depth = self._depth - 1
         return rv
 
     def _parse_string(self):
diff --git a/llsd/serde_notation.py b/llsd/serde_notation.py
@@ -4,7 +4,7 @@
 import uuid
 
 from llsd.base import (_LLSD, B, LLSDBaseFormatter, LLSDBaseParser, NOTATION_HEADER,
-                       MAX_FORMAT_DEPTH, LLSDParseError, LLSDSerializationError, UnicodeType,
+                       MAX_FORMAT_DEPTH, MAX_PARSE_DEPTH, LLSDParseError, LLSDSerializationError, UnicodeType,
                        _format_datestr, _parse_datestr, _str_to_bytes, binary, uri)
 
 
@@ -70,6 +70,7 @@ def __init__(self):
         # Then fill in specific entries based on the dict above.
         for c, func in _dispatch_dict.items():
             self._dispatch[ord(c)] = func
+        self._depth = 0
 
     def parse(self, something, ignore_binary = False):
         """
@@ -107,6 +108,8 @@ def _get_until(self, delim):
 
     def _parse(self, cc):
         "The notation parser workhorse."
+        if self._depth > MAX_PARSE_DEPTH:
+            self._error("Parse depth exceeded max.")
         try:
             func = self._dispatch[ord(cc)]
         except IndexError:
@@ -182,6 +185,7 @@ def _parse_map(self, cc):
         rv = {}
         key = b''
         found_key = False
+        self._depth = self._depth + 1
         # skip the beginning '{'
         cc = self._getc()
         while (cc != b'}'):
@@ -207,6 +211,7 @@ def _parse_map(self, cc):
             else:
                 self._error("missing separator")
             cc = self._getc()
+        self._depth = self._depth - 1
 
         return rv
 
@@ -217,6 +222,7 @@ def _parse_array(self, cc):
         array: [ object, object, object ]
         """
         rv = []
+        self._depth = self._depth + 1
         # skip the beginning '['
         cc = self._getc()
         while (cc != b']'):
@@ -227,7 +233,7 @@ def _parse_array(self, cc):
                 continue
             rv.append(self._parse(cc))
             cc = self._getc()
-
+        self._depth = self._depth - 1
         return rv
 
     def _parse_uuid(self, cc):
