Skip to content

fix: Fix uncontrolled recursion DoS in parser.py#468

Open
frostming wants to merge 1 commit into
python-poetry:masterfrom
spartan8806:fix/recursion-depth-limit
Open

fix: Fix uncontrolled recursion DoS in parser.py#468
frostming wants to merge 1 commit into
python-poetry:masterfrom
spartan8806:fix/recursion-depth-limit

Conversation

@frostming
Copy link
Copy Markdown
Contributor

@frostming frostming commented Apr 3, 2026

Adds a configurable maximum nesting depth (default 100) to prevent RecursionError when parsing deeply nested arrays or inline tables. When the limit is exceeded, a ParseError is raised instead of allowing unbounded recursion that crashes the process.

Fixes #459

@spartan8806 @claude
Fix uncontrolled recursion DoS in parser.py (CWE-674)
6136b84 
Adds a configurable maximum nesting depth (default 100) to prevent
RecursionError when parsing deeply nested arrays or inline tables.
When the limit is exceeded, a ParseError is raised instead of
allowing unbounded recursion that crashes the process.

Fixes python-poetry#459

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@spartan8806
Copy link
Copy Markdown

spartan8806 commented Apr 9, 2026

Hey sorry I just now seen It failed 2 checks, I will try and look in to it and get a fix sometime soon.

@arp242 arp242 mentioned this pull request May 7, 2026
Merged
arp242 added a commit to toml-lang/toml that referenced this pull request May 24, 2026
@arp242
Add paragraph about table nesting depth
d8e342e 
Recently there have been a few TOML implementations that have added a
nesting limit depth to prevent using up huge amount of CPU/memory with a
document like "a.«10,000 more» = 1". For example:

hukkin/tomli#286
python-poetry/tomlkit#468
BurntSushi/toml@2e90ced6

There's probably more. In a casual quick look, many implementations
already have such a limit and if they don't, they probably should.

I added a comment in the toml-test README for it, but I think mentioning
it in the spec would also be useful. If only to set a recommended lower
limit like we do for 64bit ints. This is helpful both for implementation
authors (as a reminder they should add such a limit) and users (as a
reminder there may be a limit).

For example BurntSushi/toml has never had such a limit until recently,
even though I've always known this sort of thing is a problem. I ...
just never thought of it. This would have been fixed years ago if there
had been a comment in the spec. That's probably the same for tomli.
arp242 added a commit to toml-lang/toml that referenced this pull request May 24, 2026
@arp242
Add paragraph about table nesting depth
90ce8fd 
Recently there have been a few TOML implementations that have added a
nesting limit depth to prevent using up huge amount of CPU/memory with a
document like "a.«10,000 more» = 1". For example:

hukkin/tomli#286
python-poetry/tomlkit#468
BurntSushi/toml@2e90ced6

There's probably more. In a casual quick look, many implementations
already have such a limit and if they don't, they probably should.

I added a comment in the toml-test README for it, but I think mentioning
it in the spec would also be useful. If only to set a recommended lower
limit like we do for 64bit ints. This is helpful both for implementation
authors (as a reminder they should add such a limit) and users (as a
reminder there may be a limit).

For example BurntSushi/toml has never had such a limit until recently,
even though I've always known this sort of thing is a problem. I ...
just never thought of it. This would have been fixed years ago if there
had been a comment in the spec. That's probably the same for tomli.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: Uncontrolled Recursion DoS in parser.py (CWE-674)

2 participants

@frostming @spartan8806