Re: [PATCH] oauth: Prevent stack overflow by limiting JSON parse depth

Aleksander Alekseev <aleksander@timescale.com>

From: Aleksander Alekseev <aleksander@timescale.com>
To: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Cc: Jacob Champion <jacob.champion@enterprisedb.com>
Date: 2025-05-08T12:22:35Z
Lists: pgsql-hackers
Hi Jacob,

> I forgot to put a recursion limit in the new OAuth parsers; the
> server-side depth checks don't apply to the client, and it's not using
> the incremental parser to move the burden from the stack to the heap.
> Luckily, we track the nesting level already, so a fix (attached) can
> be pretty small.
>
> [...]

Thanks for the patch. It looks good to me. It's well documented and
covered with tests. I can confirm that the tests pass. Also they fail
if I decrease the $nesting_limit value to 15.

--
Best regards,
Aleksander Alekseev



Commits

  1. oauth: Limit JSON parsing depth in the client