oauth: Limit JSON parsing depth in the client Check the ctx->nested level as we go, to prevent a server from running the client out of stack space.
The limit we choose when communicating with authorization servers can't be overly strict, since those servers will continue to add extensions in their JSON documents which we need to correctly ignore. For the SASL communication, we can be more conservative, since there are no defined extensions (and the peer is probably more Postgres code). Reviewed-by: Aleksander Alekseev <aleksan...@timescale.com> Discussion: https://postgr.es/m/CAOYmi%2Bm71aRUEi0oQE9ciBnBS8xVtMn3CifaPu2kmJzUfhOZgA%40mail.gmail.com Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/cbc8fd0c9aec01f451af5e4eeb0eb2c5d5e47eb2 Modified Files -------------- src/interfaces/libpq-oauth/oauth-curl.c | 26 ++++++++++++++++++ src/interfaces/libpq/fe-auth-oauth.c | 25 +++++++++++++++++ src/test/modules/oauth_validator/t/001_server.pl | 20 ++++++++++++++ src/test/modules/oauth_validator/t/oauth_server.py | 31 +++++++++++++++++----- 4 files changed, 96 insertions(+), 6 deletions(-)