On Fri, Sep 06, 2019 at 09:50:41 +0100, Daniel Berrange wrote:
On Fri, Sep 06, 2019 at 10:33:15AM +0200, Peter Krempa wrote:
> Implicitly the query depth is limited by the length of the QAPI schema
> query, but 'alternate' and 'array' QAPI meta-types don't consume
a part
> of the query string thus a loop on such types would get our traversal
> code stuck in an infinite loop. Prevent this from happening by limiting
> the nesting depth to 1000.
I'm not too clear on what 'depth' is applying to here ? Is this
the level of nesting in the JSON compound types we're following,
or is it something else ?
I ask because YAJL limits JSON nesting to only 128. So 1000 is
almost an order of magnitude larger.
This is not about JSON/YAJL limits. The QAPI schema is flattened and
cross-referenced by type names ('name' field in the schema). Our
code for 'alternate' and 'array' looks up the corresponding type and
moves to it when processing the query string without processing any part
of input.
This means that if you create a mallicious or broken QAPI
schema where the array member type (element-type) would be exactly the
same as the type name of the array [1] our query string evaluator
would be stuck in an infinite loop. The number is crazy big, because it
only needs to prevent from loops of 'alternate' and 'arrays'. All other
cases consume an element from the query string and thus the bounds are
limited by what you are attempting to query.
[1]
query-qmp-schema:
Normal case:
{
"name": "[14]",
"element-type": "14",
"meta-type": "array"
},
broken looping case:
{
"name": "[14]",
"element-type": "[14]",
"meta-type": "array"
},