Skip to content

Apply depth limit to unknown groups #756

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
stepancheg merged 7 commits into from
Mar 9, 2025
Merged

Apply depth limit to unknown groups #756

stepancheg merged 7 commits into from
Mar 9, 2025
+59 −12

Conversation

@esrauchg
Copy link
Contributor

@esrauchg esrauchg commented Mar 8, 2025

This avoids the denial of service issue as described on:
#749
https://rustsec.org/advisories/RUSTSEC-2024-0437

@esrauchg esrauchg mentioned this pull request Mar 8, 2025
Open
@esrauchg esrauchg changed the title Apply depth limit to unknown groupv Apply depth limit to unknown groups Mar 8, 2025
@stepancheg
Copy link
Owner

stepancheg commented Mar 8, 2025

Should not be hard to fix CI #757

@stepancheg
Copy link
Owner

stepancheg commented Mar 8, 2025

Can you rebase and resubmit please?

@esrauchg
Copy link
Contributor Author

esrauchg commented Mar 8, 2025

Done; CI is passing now.

Please take another look, thanks!

stepancheg
stepancheg reviewed Mar 8, 2025
View reviewed changes
@esrauchg
Copy link
Contributor Author

esrauchg commented Mar 9, 2025

Fixed the tests, just let me know if there's anything else you'd like changed. Thanks!

@stepancheg stepancheg merged commit f06992f into stepancheg:master Mar 9, 2025
10 checks passed
stepancheg pushed a commit that referenced this pull request Mar 9, 2025
@esrauchg @stepancheg
Apply depth limit to unknown groups (#756)
ee1d928 
* Fix issue where a deeply nested unknown group could cause arbitrarily recursion depth.

* Add drop(os) to fix tests

* Check err message on recursion limit exceeded.

* Run formatter

* Fix test with .unwrap_err()
@stepancheg
Copy link
Owner

stepancheg commented Mar 9, 2025

Thank you!

Version v3.7.2 should be published tomorrow or so.

@eserilev eserilev mentioned this pull request Mar 10, 2025
Closed
@goto-bus-stop goto-bus-stop mentioned this pull request Mar 10, 2025
Merged
@GearsDatapacks GearsDatapacks mentioned this pull request Mar 10, 2025
Merged
@abernix
Copy link

abernix commented Mar 10, 2025

Thanks for the quick action on this. I know folks — myself included — appreciate it. 🙇

@esrauchg Do you think your fix here could be applied to https://github.com/stepancheg/rust-protobuf/tree/v2.28.0? (It doesn't appear as if it would apply cleanly as-is.) And @stepancheg would you entertain a 2.x release for this if the contribution could be made? (The README suggests critical fixes may be accepted, but want to make sure that's still true.)

Reason-being: My hunch/observation is that some high-download packages (like prometheus and thus transitively opentelemetry-prometheus) are still dependent on protobuf 2.x and may not be able to swiftly update to 3.x.

While I realize that's not a predicament you want to be in and those packages should figure out a path to 3.x (I'm just a messenger here, but I can try to assist!), I suspect the availability of a 2.x would more quickly resolve the impact of the vulnerability across the ecosystem. I know it would for my team, who are currently looking at the "dependency of a dependency" gridlock without much of an option on how to proceed. This 2.x backport would unblock that.

@esrauchg
Copy link
Contributor Author

esrauchg commented Mar 10, 2025

The exact same patch couldn't be applied because things files shifted bit, but it appears the same fix can be done on the 2.28 branch the same issue could be mitigated there by a is.incr_recursion()? / .decr_recursion(); before/after this line:
https://github.com/stepancheg/rust-protobuf/blob/v2.28.0/protobuf/src/rt.rs#L806

(Whether the 2.x branch is considered EOL for those kind of patches, I wouldn't know)

@DaughterOfMars DaughterOfMars mentioned this pull request Mar 11, 2025
Closed
@pjenvey
Copy link

pjenvey commented Mar 11, 2025

I've attempted the same fix against 2.28.0 here:

  • test_shallow_nested_unknown_groups passes w/ the additional skip_group !is.eof()? change
  • test_deeply_nested_unknown_groups fails to trigger a skip_group failure, seemingly due to read_unknown not recursively calling skip_group as done on master

This may suggest the unchecked recursion doesn't apply to the skip_group case (and thus the tests don't really apply) but I'm flying blind here

@stepancheg
Copy link
Owner

stepancheg commented Mar 11, 2025
edited
Loading

@abernix

those packages should figure out a path to 3.x

They should be migrating to protobuf version 4, which is currently in beta This version of protobuf crate is on the way to archive.

@jprendes jprendes mentioned this pull request Mar 20, 2025
Merged
@NoisyCoil NoisyCoil mentioned this pull request Apr 24, 2025
Open
@jykanase jykanase mentioned this pull request Jul 21, 2025
Merged
12 tasks
@AkarshHCL AkarshHCL mentioned this pull request Aug 11, 2025
Merged
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stepancheg stepancheg stepancheg left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@esrauchg @stepancheg @abernix @pjenvey