Re: [PATCH] oauth: Prevent stack overflow by limiting JSON parse depth
Aleksander Alekseev <aleksander@timescale.com>
From: Aleksander Alekseev <aleksander@timescale.com>
To: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Cc: Jacob Champion <jacob.champion@enterprisedb.com>
Date: 2025-05-08T12:22:35Z
Lists: pgsql-hackers
Hi Jacob, > I forgot to put a recursion limit in the new OAuth parsers; the > server-side depth checks don't apply to the client, and it's not using > the incremental parser to move the burden from the stack to the heap. > Luckily, we track the nesting level already, so a fix (attached) can > be pretty small. > > [...] Thanks for the patch. It looks good to me. It's well documented and covered with tests. I can confirm that the tests pass. Also they fail if I decrease the $nesting_limit value to 15. -- Best regards, Aleksander Alekseev
Commits
-
oauth: Limit JSON parsing depth in the client
- cbc8fd0c9aec 18.0 landed