-
Notifications
You must be signed in to change notification settings - Fork 184
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JS-185 Deeply nested ASTs should be de-serialized correctly #4762
Conversation
f29e582
to
adfaffd
Compare
adfaffd
to
9069ea0
Compare
* It makes sense as a general default limit for protobuf users, but in our case, we are producing the input ourselves, | ||
* and even if users are controlling the code, it is not a new security risk, as any analyzer would have to deal with the same limit. | ||
*/ | ||
private static final int PROTOBUF_RECURSION_LIMIT = 300; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The onion benchmark worst case hits 90 layers (180 in terms of Protobuf messages).
Knowing that it is already "fake" code, I feel that if user-defined code ever hits 300, it is fair to not even try to do anything with it...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, not limit will stop us 🚀
made one small nitpick comment, feel free to ignore it.
sonar-plugin/bridge/src/main/java/org/sonar/plugins/javascript/bridge/FormDataUtils.java
Outdated
Show resolved
Hide resolved
…/bridge/FormDataUtils.java Co-authored-by: Renaud T. <[email protected]>
Quality Gate passedIssues Measures |
No description provided.