Add limits to reading XML inputs (#319)

This PR adds limits to XML parsing to avoid memory exhaustion by ill-crafted XML input. It adds “trip counter” to the reader that feeds data into the XML parser which limits the size of an opening tag to 1,000,000 bytes and the content of certain XML elements to 100,000,000 bytes. This, together with the XML parser itself not keeping data buffered protects against exploding compressed data.
NLnetLabs · Jan 20, 2025 · 8290c8a · 8290c8a
1 parent ca82ee0
commit 8290c8a
Show file tree

Hide file tree

Showing 8 changed files with 401 additions and 166 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -7,7 +7,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest, macOS-latest]
-        rust: [1.70.0, stable, beta, nightly]
+        rust: [1.73.0, stable, beta, nightly]
     steps:
     - name: Checkout repository
       uses: actions/checkout@v1

diff --git a/Cargo.toml b/Cargo.toml
@@ -2,7 +2,7 @@
 name = "rpki"
 version = "0.18.4"
 edition = "2021"
-rust-version = "1.70"
+rust-version = "1.73"
 authors = ["NLnet Labs <rpki-team@nlnetlabs.nl>"]
 description = "A library for validating and creating RPKI data."
 documentation = "https://docs.rs/rpki/"
@@ -36,7 +36,13 @@ untrusted       = { version = "0.9", optional = true }
 [dev-dependencies]
 serde_json      = "1.0.40"
 serde_test      = "1.0"
-tokio           = { version="1.0", features=["net", "macros"]}
+tokio           = { version="1.0", features=["net", "macros", "rt-multi-thread"]}
+hyper           = { version = "1.3.1", features = ["server", "http1"] }
+hyper-util      = { version = "0.1", features = ["server", "tokio"] }
+http-body-util  = "0.1"
+futures-util    = "0.3.31"
+reqwest         = { version = "0.12.9", features = ["gzip", "stream", "blocking"] }
+
 
 [features]
 default = []