Merge pull request #81 from Shopify/pz-max-source-code-bytes

Require source code to be at most 16MiB
Shopify · Oct 13, 2020 · 368792e · 368792e
2 parents fe47cb4 + 9335dc3
commit 368792e
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/ext/liquid_c/tokenizer.c b/ext/liquid_c/tokenizer.c
@@ -47,6 +47,12 @@ static VALUE tokenizer_initialize_method(VALUE self, VALUE source, VALUE start_l
     Check_Type(source, T_STRING);
     check_utf8_encoding(source, "source");
 
+#define MAX_SOURCE_CODE_BYTES ((1 << 24) - 1)
+    if (RSTRING_LEN(source) > MAX_SOURCE_CODE_BYTES) {
+        rb_enc_raise(utf8_encoding, rb_eArgError, "Source too large, max %d bytes", MAX_SOURCE_CODE_BYTES);
+    }
+#undef MAX_SOURCE_CODE_BYTES
+
     Tokenizer_Get_Struct(self, tokenizer);
     source = rb_str_dup_frozen(source);
     tokenizer->source = source;

diff --git a/test/unit/tokenizer_test.rb b/test/unit/tokenizer_test.rb
@@ -62,6 +62,14 @@ def test_non_utf8_compatible_source
     assert_equal("non-UTF8 encoded source (ASCII-8BIT) not supported", exc.message)
   end
 
+  def test_source_too_large
+    err = assert_raises(ArgumentError) do
+      tokenize("a" * 2**24)
+    end
+
+    assert_match(/Source too large, max \d+ bytes/, err.message)
+  end
+
   private
 
   def tokenize(source, for_liquid_tag: false, trimmed: false)