Thread: Re: [PATCH] oauth: Prevent stack overflow by limiting JSON parse depth

Re: [PATCH] oauth: Prevent stack overflow by limiting JSON parse depth

From

Aleksander Alekseev

Date:

08 May, 15:22:35

Hi Jacob,

> I forgot to put a recursion limit in the new OAuth parsers; the
> server-side depth checks don't apply to the client, and it's not using
> the incremental parser to move the burden from the stack to the heap.
> Luckily, we track the nesting level already, so a fix (attached) can
> be pretty small.
>
> [...]

Thanks for the patch. It looks good to me. It's well documented and
covered with tests. I can confirm that the tests pass. Also they fail
if I decrease the $nesting_limit value to 15.

--
Best regards,
Aleksander Alekseev

Re: [PATCH] oauth: Prevent stack overflow by limiting JSON parse depth

From

Jacob Champion

Date:

08 May, 18:45:04

On Thu, May 8, 2025 at 5:22 AM Aleksander Alekseev
<aleksander@timescale.com> wrote:
> Thanks for the patch. It looks good to me. It's well documented and
> covered with tests. I can confirm that the tests pass. Also they fail
> if I decrease the $nesting_limit value to 15.

Thanks for the review!

--Jacob