Array indexed values need some form of length limit to prevent attack

monoculum / formam

a package for decode form's values into struct in Go

Apache License 2.0

190 stars 19 forks source link

Closed hdm closed 4 years ago

hdm commented 4 years ago

The code to expand a slice based on an array index ends up calling reflect.MakeSlice with a user-controlled length value: https://github.com/monoculum/formam/blob/master/formam.go#L570

This could be abused by a malicious user to force large memory allocations in a Go web application.

A workaround could be to provide a default length limit (16k or similar) in the DecoderOptions and allow the user to override this.

arp242 commented 4 years ago

Good catch; thanks! I created a patch: #32

emilgpa commented 4 years ago

@hdm Thank you very much for catching it! And thank you @arp242 for the PR!

hdm commented 4 years ago

Thanks for the patch!

arp242 commented 4 years ago

I put out v3.4.0 which includes this fix.