prevent long strings as int inputs #4480
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
should now pass, please review. |
|
@pydantic/pydantic-maintainers do you think we should backport this to v1.9 and v1.8? |
hramezani
approved these changes
Sep 5, 2022
hramezani
approved these changes
Sep 5, 2022
hramezani
approved these changes
Sep 5, 2022
|
sorry. I think it was my internet problem. I approved the PR 3 times 🤦♂️ |
|
No problem. Good to see you're sure 😄. |
cmyui
reviewed
Sep 5, 2022
| # NOTICE: this does not fully protect user from the DOS risk since the standard library JSON implementation | ||
| # (and other std lib modules like xml) use `int()` and are likely called before this, the best workaround is to | ||
| # 1. update to the latest patch release of python once released, 2. use a different JSON library like ujson | ||
| if isinstance(v, (str, bytes, bytearray)) and len(v) > max_str_int: |
There was a problem hiding this comment.
maybe overkill, but should this include memoryview as well?
from pydantic import BaseModel
class A(BaseModel):
x: int
A(x=memoryview(b"1" * 5000))this seems like a much less common use case, but perhaps could still be used as a dos in some cases
$ python -m timeit -s 'x=b"1" * 100_000' 'int(memoryview(x))'
5 loops, best of 5: 59.6 msec per loopi can make a pr to address this
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
see #1477 and in turn, python/cpython#95778 this check should be unnecessary once patch releases are out for 3.7, 3.8, 3.9 and 3.10 but better to check here until then.
See this twitter thread the python patch releases should be out in the next few days, but I know how slow people are to upgrade these things, so I think better to fix here.
NOTICE:
This does not full protect user from the DOS risk since the standard library JSON implementation
(and other std lib modules like xml) use
int()and are called before this, the best workaround is toRelated issue number
fix #1477
Checklist
changes/<pull request or issue id>-<github username>.mdfile added describing change