Protect against the Billion Laughs attack

projectfluent / fluent

Fluent — planning, spec and documentation

https://projectfluent.org

Apache License 2.0

1.4k stars 45 forks source link

Protect against the Billion Laughs attack #277

Open stasm opened 5 years ago

stasm commented 5 years ago

The resolver should be resilient to exponential reference expansion attacks. See https://en.wikipedia.org/wiki/Billion_laughs_attack

stasm commented 5 years ago

The mitigation in fluent.js involves checking the length of the resolved placeable against a constant. We should 1) make the maximum length configurable in the constructor, and 2) consider how this works with #273.