-
Notifications
You must be signed in to change notification settings - Fork 228
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Limit link def expansion #845
Limit link def expansion #845
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Simple enough solution. Looks good!
Similar quadratic growth could happen with the broken link callback, although it's highly context dependent. Should we warn about that in the docs?
@@ -225,6 +243,8 @@ impl<'input, F: BrokenLinkCallback<'input>> Parser<'input, F> { | |||
inline_stack, | |||
link_stack, | |||
html_scan_guard, | |||
// always allow 100KiB | |||
link_ref_expansion_limit: text.len().max(100_000), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess I'd rather make this text.len() + 100_000
but replicating cmark is good.
This runs after the callback, so it should cover it, right? |
Ah, I see. But running the callback already potentially involves generating long strings, so quadratic work could be done anyway. I guess the same applies for ref defs: If the url/title are not borrowed from the input, then them being fetched and cloned from the map is already quadratic. An input like "[x]: " + "x\\." * N + "\n[x]" * N is still quadratic with this PR (though only noticeably so with N > 2000 as it's just string cloning). So the check for whether the limit has been exhausted should be before anything is cloned or the callback is called. I'm also not sure that we should apply the same limit to the broken link callback. For ref defs, the url & title are included in the document itself once, so the limit will never be hit if each definition is only used once. This is not the case for links expanded by the callback. There may also be use cases where the generated links are significantly longer or contain a payload. Of course the 100K minimum size will be hard to reach in practice. |
There is still quadratic behavior in some cases, as explained above
Yeah, that could be considered. For this issue though, there's probably a reasonable solution that checks the limit before cloning? Not sure if it's worth blocking a fix to this on switching to |
Yeah, that's doable. Here's a commit that does it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good now! (Assuming you're ok with the callback using the same limit)
I have to deep a bit more on this but it looks good, thanks! |
chore(deps): update compatible [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [anyhow](https://togithub.com/dtolnay/anyhow) | workspace.dependencies | patch | `1.0.80` -> `1.0.81` | | [clap](https://togithub.com/clap-rs/clap) | workspace.dependencies | patch | `4.5.1` -> `4.5.4` | | [git2](https://togithub.com/rust-lang/git2-rs) | workspace.dependencies | patch | `0.18.2` -> `0.18.3` | | [handlebars](https://togithub.com/sunng87/handlebars-rust) | workspace.dependencies | patch | `5.1.0` -> `5.1.2` | | [libloading](https://togithub.com/nagisa/rust_libloading) | workspace.dependencies | patch | `0.8.1` -> `0.8.3` | | [memchr](https://togithub.com/BurntSushi/memchr) | workspace.dependencies | patch | `2.7.1` -> `2.7.2` | | [os_info](https://togithub.com/stanislav-tkach/os_info) | workspace.dependencies | minor | `3.7.0` -> `3.8.2` | | [pulldown-cmark](https://togithub.com/raphlinus/pulldown-cmark) | workspace.dependencies | patch | `0.10.0` -> `0.10.2` | | [regex](https://togithub.com/rust-lang/regex) | workspace.dependencies | patch | `1.10.3` -> `1.10.4` | | [security-framework](https://lib.rs/crates/security_framework) ([source](https://togithub.com/kornelski/rust-security-framework)) | workspace.dependencies | minor | `2.9.2` -> `2.10.0` | | [serde_json](https://togithub.com/serde-rs/json) | workspace.dependencies | patch | `1.0.114` -> `1.0.115` | | [similar](https://togithub.com/mitsuhiko/similar) | dev-dependencies | minor | `2.4.0` -> `2.5.0` | | [snapbox](https://togithub.com/assert-rs/trycmd/tree/main/crates/snapbox) ([source](https://togithub.com/assert-rs/trycmd)) | workspace.dependencies | patch | `0.5.7` -> `0.5.9` | | [thiserror](https://togithub.com/dtolnay/thiserror) | workspace.dependencies | patch | `1.0.57` -> `1.0.58` | | [toml](https://togithub.com/toml-rs/toml) | workspace.dependencies | patch | `0.8.10` -> `0.8.12` | | [tracing-chrome](https://togithub.com/thoren-d/tracing-chrome) | workspace.dependencies | patch | `0.7.1` -> `0.7.2` | | [walkdir](https://togithub.com/BurntSushi/walkdir) | workspace.dependencies | minor | `2.4.0` -> `2.5.0` | --- ### Release Notes <details> <summary>dtolnay/anyhow (anyhow)</summary> ### [`v1.0.81`](https://togithub.com/dtolnay/anyhow/releases/tag/1.0.81) [Compare Source](https://togithub.com/dtolnay/anyhow/compare/1.0.80...1.0.81) - Make backtrace support available when using -Dwarnings ([#​354](https://togithub.com/dtolnay/anyhow/issues/354)) </details> <details> <summary>clap-rs/clap (clap)</summary> ### [`v4.5.4`](https://togithub.com/clap-rs/clap/blob/HEAD/CHANGELOG.md#454---2024-03-25) [Compare Source](https://togithub.com/clap-rs/clap/compare/v4.5.3...v4.5.4) ##### Fixes - *(derive)* Allow non-literal `#[arg(id)]` attributes again ### [`v4.5.3`](https://togithub.com/clap-rs/clap/blob/HEAD/CHANGELOG.md#453---2024-03-15) [Compare Source](https://togithub.com/clap-rs/clap/compare/v4.5.2...v4.5.3) ##### Internal - *(derive)* Update `heck` ### [`v4.5.2`](https://togithub.com/clap-rs/clap/blob/HEAD/CHANGELOG.md#452---2024-03-06) [Compare Source](https://togithub.com/clap-rs/clap/compare/v4.5.1...v4.5.2) ##### Fixes - *(macros)* Silence a warning </details> <details> <summary>rust-lang/git2-rs (git2)</summary> ### [`v0.18.3`](https://togithub.com/rust-lang/git2-rs/blob/HEAD/CHANGELOG.md#0183---2024-03-18) [Compare Source](https://togithub.com/rust-lang/git2-rs/compare/git2-0.18.2...git2-0.18.3) [0.18.2...0.18.3](https://togithub.com/rust-lang/git2-rs/compare/git2-0.18.2...git2-0.18.3) ##### Added - Added `opts::` functions to get / set libgit2 mwindow options [#​1035](https://togithub.com/rust-lang/git2-rs/pull/1035) ##### Changed - Updated examples to use clap instead of structopt [#​1007](https://togithub.com/rust-lang/git2-rs/pull/1007) </details> <details> <summary>sunng87/handlebars-rust (handlebars)</summary> ### [`v5.1.2`](https://togithub.com/sunng87/handlebars-rust/blob/HEAD/CHANGELOG.md#512---2024-03-24) [Compare Source](https://togithub.com/sunng87/handlebars-rust/compare/v5.1.1...v5.1.2) - \[Changed] Improved error message and syntax rule naming \[[#​638](https://togithub.com/sunng87/handlebars-rust/issues/638)] - \[Changed] Updated `heck` to 0.5 \[[#​635](https://togithub.com/sunng87/handlebars-rust/issues/635)] ### [`v5.1.1`](https://togithub.com/sunng87/handlebars-rust/blob/HEAD/CHANGELOG.md#-511---2024-01-18-Yanked) [Compare Source](https://togithub.com/sunng87/handlebars-rust/compare/v5.1.0...v5.1.1) - \[Changed] Turned off pub access of `chain` in `HelperTemplate` </details> <details> <summary>nagisa/rust_libloading (libloading)</summary> ### [`v0.8.3`](https://togithub.com/nagisa/rust_libloading/compare/0.8.2...0.8.3) [Compare Source](https://togithub.com/nagisa/rust_libloading/compare/0.8.2...0.8.3) ### [`v0.8.2`](https://togithub.com/nagisa/rust_libloading/compare/0.8.1...0.8.2) [Compare Source](https://togithub.com/nagisa/rust_libloading/compare/0.8.1...0.8.2) </details> <details> <summary>BurntSushi/memchr (memchr)</summary> ### [`v2.7.2`](https://togithub.com/BurntSushi/memchr/compare/2.7.1...2.7.2) [Compare Source](https://togithub.com/BurntSushi/memchr/compare/2.7.1...2.7.2) </details> <details> <summary>stanislav-tkach/os_info (os_info)</summary> ### [`v3.8.2`](https://togithub.com/stanislav-tkach/os_info/blob/HEAD/CHANGELOG.md#382-2024-03-22) [Compare Source](https://togithub.com/stanislav-tkach/os_info/compare/v3.8.1...v3.8.2) - Build on FreeSBD has been fixed once again. ([#​377](https://togithub.com/stanislav-tkach/os_info/issues/377)) ### [`v3.8.1`](https://togithub.com/stanislav-tkach/os_info/blob/HEAD/CHANGELOG.md#381-2024-03-17) [Compare Source](https://togithub.com/stanislav-tkach/os_info/compare/v3.8.0...v3.8.1) - Build on FreeSBD has been fixed. ([#​372](https://togithub.com/stanislav-tkach/os_info/issues/372)) - Build on Illumos has been fixed. ([#​373](https://togithub.com/stanislav-tkach/os_info/issues/373)) - Build on NetBSD has been fixed. ([#​374](https://togithub.com/stanislav-tkach/os_info/issues/374)) - Few more regressions introduced in the `3.8.0` release were (hopefully) fixed. ### [`v3.8.0`](https://togithub.com/stanislav-tkach/os_info/blob/HEAD/CHANGELOG.md#380-2024-03-12) [Compare Source](https://togithub.com/stanislav-tkach/os_info/compare/v3.7.0...v3.8.0) - The `windows-sys` crate instead of `winapi` is now used internally. ([#​341](https://togithub.com/stanislav-tkach/os_info/issues/341)) - Architecture information for Windows targets has been added. ([#​345](https://togithub.com/stanislav-tkach/os_info/issues/345)) - Artix Linux detection has been fixed. ([#​348](https://togithub.com/stanislav-tkach/os_info/issues/348)) - AIX support has been added. ([#​349](https://togithub.com/stanislav-tkach/os_info/issues/349)) - Kali Linux support has been added. ([#​350](https://togithub.com/stanislav-tkach/os_info/issues/350)) - openSUSE Tumbleweed detection has been fixed. ([#​353](https://togithub.com/stanislav-tkach/os_info/issues/353)) - Version parsing from `lsb_release` has been added. ([#​354](https://togithub.com/stanislav-tkach/os_info/issues/354)) - HardenedBSD detection has been fixed. ([#​358](https://togithub.com/stanislav-tkach/os_info/issues/358)) - Ultramarine Linux support has been added. ([#​359](https://togithub.com/stanislav-tkach/os_info/issues/359)) - AlmaLinux and Rocky Linux support has been added. ([#​360](https://togithub.com/stanislav-tkach/os_info/issues/360)) - Ultramarine Linux support has been added. ([#​363](https://togithub.com/stanislav-tkach/os_info/issues/363)) - Void Linux support has been added. ([#​365](https://togithub.com/stanislav-tkach/os_info/issues/365)) </details> <details> <summary>raphlinus/pulldown-cmark (pulldown-cmark)</summary> ### [`v0.10.2`](https://togithub.com/pulldown-cmark/pulldown-cmark/releases/tag/v0.10.2) New release with some fixes and improvements. Note the 0.10.1 is missing (yanked from crates.io) due to a conflict with the clap version and the Rust minimum version (1.74 now instead of 1.70). Thanks to all people that contributed to this release! #### What's Changed - Limit link def expansion by [`@​notriddle](https://togithub.com/notriddle)` in [pulldown-cmark/pulldown-cmark#845 - Do not look for HTML tags that start with backslash by [`@​notriddle](https://togithub.com/notriddle)` in [pulldown-cmark/pulldown-cmark#849 - Count a blank line at end of indented code block towards list by [`@​notriddle](https://togithub.com/notriddle)` in [pulldown-cmark/pulldown-cmark#851 - Use same limit for refdef as inline links by [`@​notriddle](https://togithub.com/notriddle)` in [pulldown-cmark/pulldown-cmark#854 - Don't exit `scan_attribute` with the ix pointing at block quote by [`@​notriddle](https://togithub.com/notriddle)` in [pulldown-cmark/pulldown-cmark#858 - Check indentation on the closing fence relative to the line by [`@​notriddle](https://togithub.com/notriddle)` in [pulldown-cmark/pulldown-cmark#862 - Adjust strikethrough flanking rule to better fit Rustdoc Crater run by [`@​notriddle](https://togithub.com/notriddle)` in [pulldown-cmark/pulldown-cmark#864 - perf: cargo-wizard default recommendations for runtime perf by [`@​Martin1887](https://togithub.com/Martin1887)` in [pulldown-cmark/pulldown-cmark#868 #### New Contributors - [`@​ehuss](https://togithub.com/ehuss)` made their first contribution in [pulldown-cmark/pulldown-cmark#848 - [`@​jimblandy](https://togithub.com/jimblandy)` made their first contribution in [pulldown-cmark/pulldown-cmark#865 - [`@​max-heller](https://togithub.com/max-heller)` made their first contribution in [pulldown-cmark/pulldown-cmark#866 - [`@​blinxen](https://togithub.com/blinxen)` made their first contribution in [pulldown-cmark/pulldown-cmark#875 **Full Changelog**: pulldown-cmark/pulldown-cmark@v0.10.0...v0.10.2 </details> <details> <summary>rust-lang/regex (regex)</summary> ### [`v1.10.4`](https://togithub.com/rust-lang/regex/compare/1.10.3...1.10.4) [Compare Source](https://togithub.com/rust-lang/regex/compare/1.10.3...1.10.4) </details> <details> <summary>kornelski/rust-security-framework (security-framework)</summary> ### [`v2.10.0`](https://togithub.com/kornelski/rust-security-framework/compare/v2.9.2...v2.10.0) [Compare Source](https://togithub.com/kornelski/rust-security-framework/compare/v2.9.2...v2.10.0) </details> <details> <summary>serde-rs/json (serde_json)</summary> ### [`v1.0.115`](https://togithub.com/serde-rs/json/releases/tag/v1.0.115) [Compare Source](https://togithub.com/serde-rs/json/compare/v1.0.114...v1.0.115) - Documentation improvements </details> <details> <summary>mitsuhiko/similar (similar)</summary> ### [`v2.5.0`](https://togithub.com/mitsuhiko/similar/blob/HEAD/CHANGELOG.md#250) [Compare Source](https://togithub.com/mitsuhiko/similar/compare/2.4.0...2.5.0) - Added support for `TextDiff::iter_inline_changes_deadline`. [#​61](https://togithub.com/mitsuhiko/similar/issues/61) - Raise MSRV to 1.60. [#​62](https://togithub.com/mitsuhiko/similar/issues/62) - Bump bstr dependency to 1.0. [#​62](https://togithub.com/mitsuhiko/similar/issues/62) </details> <details> <summary>assert-rs/trycmd (snapbox)</summary> ### [`v0.5.9`](https://togithub.com/assert-rs/trycmd/compare/snapbox-v0.5.8...snapbox-v0.5.9) [Compare Source](https://togithub.com/assert-rs/trycmd/compare/snapbox-v0.5.8...snapbox-v0.5.9) ### [`v0.5.8`](https://togithub.com/assert-rs/trycmd/compare/snapbox-v0.5.7...snapbox-v0.5.8) [Compare Source](https://togithub.com/assert-rs/trycmd/compare/snapbox-v0.5.7...snapbox-v0.5.8) </details> <details> <summary>dtolnay/thiserror (thiserror)</summary> ### [`v1.0.58`](https://togithub.com/dtolnay/thiserror/releases/tag/1.0.58) [Compare Source](https://togithub.com/dtolnay/thiserror/compare/1.0.57...1.0.58) - Make backtrace support available when using -Dwarnings ([#​292](https://togithub.com/dtolnay/thiserror/issues/292)) </details> <details> <summary>toml-rs/toml (toml)</summary> ### [`v0.8.12`](https://togithub.com/toml-rs/toml/compare/toml-v0.8.11...toml-v0.8.12) [Compare Source](https://togithub.com/toml-rs/toml/compare/toml-v0.8.11...toml-v0.8.12) ### [`v0.8.11`](https://togithub.com/toml-rs/toml/compare/toml-v0.8.10...toml-v0.8.11) [Compare Source](https://togithub.com/toml-rs/toml/compare/toml-v0.8.10...toml-v0.8.11) </details> <details> <summary>thoren-d/tracing-chrome (tracing-chrome)</summary> ### [`v0.7.2`](https://togithub.com/thoren-d/tracing-chrome/releases/tag/v0.7.2) [Compare Source](https://togithub.com/thoren-d/tracing-chrome/compare/v0.7.1...v0.7.2) - Support platforms that lack `AtomicU64` support. </details> <details> <summary>BurntSushi/walkdir (walkdir)</summary> ### [`v2.5.0`](https://togithub.com/BurntSushi/walkdir/compare/2.4.0...2.5.0) [Compare Source](https://togithub.com/BurntSushi/walkdir/compare/2.4.0...2.5.0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 5am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/rust-lang/cargo). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIn0=-->
Fixes #844
Before
After