feat: add max_nesting_depth

Author: quake

json/internal_types.mbt

@@ -17,12 +17,13 @@ priv struct ParseContext {
   mut offset : Int
   input : String
   end_offset : Int
+  max_nesting_depth : Int
   mut depth : Int
 }
 
 ///|
-fn ParseContext::make(input : String) -> ParseContext {
-  { offset: 0, input, end_offset: input.length(), depth: 0 }
+fn ParseContext::make(input : String, max_nesting_depth : Int) -> ParseContext {
+  { offset: 0, input, end_offset: input.length(), max_nesting_depth, depth: 0 }
 }
 
 ///|

json/json_test.mbt

@@ -527,22 +527,16 @@ test "nested json" {
   })
 }
 
+///|
 test "call stack overflow" {
   let depth = 50000
   let json_string = StringBuilder::new()
-  for _ in (0..=depth) {
+  for _ in 0..=depth {
     json_string.write_char('[')
   }
-  for _ in (0..=depth) {
+  for _ in 0..=depth {
     json_string.write_char(']')
   }
+  let _ = @json.parse(json_string.to_string()) catch { _ => null }
 
-  println("If the parser is vulnerable, this program will crash with a stack overflow.")
-
-  match @json.parse(json_string.to_string()) {
-    Json::Array(arr) => {
-      println(arr)
-    }
-    _ => fail("Parsing failed unexpectedly")
-  }
-}
+}

json/lex_misc.mbt

@@ -93,7 +93,7 @@ fn ParseContext::expect_ascii_char(
 
 ///|
 test "expect_char" {
-  let ctx = ParseContext::make("abc")
+  let ctx = ParseContext::make("abc", 1)
   ctx.expect_char('a')
   ctx.expect_char('b')
   ctx.expect_char('c')
@@ -103,7 +103,7 @@ test "expect_char" {
 ///|
 test "expect_char with surrogate pair" {
   // "\uD83D\uDE00" // todo: shall we allow this?
-  let ctx = ParseContext::make("a\u{1F600}bc\u{1F600}c")
+  let ctx = ParseContext::make("a\u{1F600}bc\u{1F600}c", 1)
   ctx.expect_char('a')
   ctx.expect_char((0x1F600).unsafe_to_char())
   ctx.expect_char('b')

json/parse.mbt

@@ -23,8 +23,11 @@ pub fn valid(input : String) -> Bool {
 }
 
 ///|
-pub fn parse(input : String) -> Json raise ParseError {
-  let ctx = ParseContext::make(input)
+pub fn parse(
+  input : String,
+  max_nesting_depth? : Int = 1024,
+) -> Json raise ParseError {
+  let ctx = ParseContext::make(input, max_nesting_depth)
   let val = ctx.parse_value()
   ctx.lex_skip_whitespace()
   if ctx.offset >= ctx.end_offset {
@@ -59,7 +62,7 @@ fn ParseContext::parse_value2(
 
 ///|
 fn ParseContext::parse_object(ctx : ParseContext) -> Json raise ParseError {
-  if ctx.depth >= 500 {
+  if ctx.depth >= ctx.max_nesting_depth {
     raise DepthLimitExceeded
   }
   ctx.depth += 1
@@ -87,7 +90,7 @@ fn ParseContext::parse_object(ctx : ParseContext) -> Json raise ParseError {
 
 ///|
 fn ParseContext::parse_array(ctx : ParseContext) -> Json raise ParseError {
-  if ctx.depth >= 500 {
+  if ctx.depth >= ctx.max_nesting_depth {
     raise DepthLimitExceeded
   }
   ctx.depth += 1

json/types.mbt

@@ -53,7 +53,7 @@ pub impl Show for ParseError with output(self, logger) {
       ..write_object(line)
       ..write_string(", column ")
       ..write_object(column)
-    DepthLimitExceeded => logger.write_string("Depth limit exceeded")
+    DepthLimitExceeded => logger.write_string("Depth limit exceeded, please increase the max_nesting_depth parameter")
   }
 }