Limit link def expansion #845
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ollpu
previously approved these changes
Feb 18, 2024
| @@ -225,6 +243,8 @@ impl<'input, F: BrokenLinkCallback<'input>> Parser<'input, F> { | |||
| inline_stack, | |||
| link_stack, | |||
| html_scan_guard, | |||
| // always allow 100KiB | |||
| link_ref_expansion_limit: text.len().max(100_000), | |||
There was a problem hiding this comment.
I guess I'd rather make this text.len() + 100_000 but replicating cmark is good.
This runs after the callback, so it should cover it, right? |
Ah, I see. But running the callback already potentially involves generating long strings, so quadratic work could be done anyway. I guess the same applies for ref defs: If the url/title are not borrowed from the input, then them being fetched and cloned from the map is already quadratic. An input like "[x]: " + "x\\." * N + "\n[x]" * Nis still quadratic with this PR (though only noticeably so with N > 2000 as it's just string cloning). So the check for whether the limit has been exhausted should be before anything is cloned or the callback is called. I'm also not sure that we should apply the same limit to the broken link callback. For ref defs, the url & title are included in the document itself once, so the limit will never be hit if each definition is only used once. This is not the case for links expanded by the callback. There may also be use cases where the generated links are significantly longer or contain a payload. Of course the 100K minimum size will be hard to reach in practice. |
ollpu
dismissed
their stale review
There is still quadratic behavior in some cases, as explained above
Yeah, that could be considered. For this issue though, there's probably a reasonable solution that checks the limit before cloning? Not sure if it's worth blocking a fix to this on switching to |
|
Yeah, that's doable. Here's a commit that does it. |
ollpu
approved these changes
Feb 25, 2024
|
I have to deep a bit more on this but it looks good, thanks! |
bors
added a commit
to rust-lang/cargo
that referenced
this pull request
Apr 2, 2024
chore(deps): update compatible [](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [anyhow](https://togithub.com/dtolnay/anyhow) | workspace.dependencies | patch | `1.0.80` -> `1.0.81` | | [clap](https://togithub.com/clap-rs/clap) | workspace.dependencies | patch | `4.5.1` -> `4.5.4` | | [git2](https://togithub.com/rust-lang/git2-rs) | workspace.dependencies | patch | `0.18.2` -> `0.18.3` | | [handlebars](https://togithub.com/sunng87/handlebars-rust) | workspace.dependencies | patch | `5.1.0` -> `5.1.2` | | [libloading](https://togithub.com/nagisa/rust_libloading) | workspace.dependencies | patch | `0.8.1` -> `0.8.3` | | [memchr](https://togithub.com/BurntSushi/memchr) | workspace.dependencies | patch | `2.7.1` -> `2.7.2` | | [os_info](https://togithub.com/stanislav-tkach/os_info) | workspace.dependencies | minor | `3.7.0` -> `3.8.2` | | [pulldown-cmark](https://togithub.com/raphlinus/pulldown-cmark) | workspace.dependencies | patch | `0.10.0` -> `0.10.2` | | [regex](https://togithub.com/rust-lang/regex) | workspace.dependencies | patch | `1.10.3` -> `1.10.4` | | [security-framework](https://lib.rs/crates/security_framework) ([source](https://togithub.com/kornelski/rust-security-framework)) | workspace.dependencies | minor | `2.9.2` -> `2.10.0` | | [serde_json](https://togithub.com/serde-rs/json) | workspace.dependencies | patch | `1.0.114` -> `1.0.115` | | [similar](https://togithub.com/mitsuhiko/similar) | dev-dependencies | minor | `2.4.0` -> `2.5.0` | | [snapbox](https://togithub.com/assert-rs/trycmd/tree/main/crates/snapbox) ([source](https://togithub.com/assert-rs/trycmd)) | workspace.dependencies | patch | `0.5.7` -> `0.5.9` | | [thiserror](https://togithub.com/dtolnay/thiserror) | workspace.dependencies | patch | `1.0.57` -> `1.0.58` | | [toml](https://togithub.com/toml-rs/toml) | workspace.dependencies | patch | `0.8.10` -> `0.8.12` | | [tracing-chrome](https://togithub.com/thoren-d/tracing-chrome) | workspace.dependencies | patch | `0.7.1` -> `0.7.2` | | [walkdir](https://togithub.com/BurntSushi/walkdir) | workspace.dependencies | minor | `2.4.0` -> `2.5.0` | --- ### Release Notes <details> <summary>dtolnay/anyhow (anyhow)</summary> ### [`v1.0.81`](https://togithub.com/dtolnay/anyhow/releases/tag/1.0.81) [Compare Source](https://togithub.com/dtolnay/anyhow/compare/1.0.80...1.0.81) - Make backtrace support available when using -Dwarnings ([#​354](https://togithub.com/dtolnay/anyhow/issues/354)) </details> <details> <summary>clap-rs/clap (clap)</summary> ### [`v4.5.4`](https://togithub.com/clap-rs/clap/blob/HEAD/CHANGELOG.md#454---2024-03-25) [Compare Source](https://togithub.com/clap-rs/clap/compare/v4.5.3...v4.5.4) ##### Fixes - *(derive)* Allow non-literal `#[arg(id)]` attributes again ### [`v4.5.3`](https://togithub.com/clap-rs/clap/blob/HEAD/CHANGELOG.md#453---2024-03-15) [Compare Source](https://togithub.com/clap-rs/clap/compare/v4.5.2...v4.5.3) ##### Internal - *(derive)* Update `heck` ### [`v4.5.2`](https://togithub.com/clap-rs/clap/blob/HEAD/CHANGELOG.md#452---2024-03-06) [Compare Source](https://togithub.com/clap-rs/clap/compare/v4.5.1...v4.5.2) ##### Fixes - *(macros)* Silence a warning </details> <details> <summary>rust-lang/git2-rs (git2)</summary> ### [`v0.18.3`](https://togithub.com/rust-lang/git2-rs/blob/HEAD/CHANGELOG.md#0183---2024-03-18) [Compare Source](https://togithub.com/rust-lang/git2-rs/compare/git2-0.18.2...git2-0.18.3) [0.18.2...0.18.3](https://togithub.com/rust-lang/git2-rs/compare/git2-0.18.2...git2-0.18.3) ##### Added - Added `opts::` functions to get / set libgit2 mwindow options [#​1035](https://togithub.com/rust-lang/git2-rs/pull/1035) ##### Changed - Updated examples to use clap instead of structopt [#​1007](https://togithub.com/rust-lang/git2-rs/pull/1007) </details> <details> <summary>sunng87/handlebars-rust (handlebars)</summary> ### [`v5.1.2`](https://togithub.com/sunng87/handlebars-rust/blob/HEAD/CHANGELOG.md#512---2024-03-24) [Compare Source](https://togithub.com/sunng87/handlebars-rust/compare/v5.1.1...v5.1.2) - \[Changed] Improved error message and syntax rule naming \[[#​638](https://togithub.com/sunng87/handlebars-rust/issues/638)] - \[Changed] Updated `heck` to 0.5 \[[#​635](https://togithub.com/sunng87/handlebars-rust/issues/635)] ### [`v5.1.1`](https://togithub.com/sunng87/handlebars-rust/blob/HEAD/CHANGELOG.md#-511---2024-01-18-Yanked) [Compare Source](https://togithub.com/sunng87/handlebars-rust/compare/v5.1.0...v5.1.1) - \[Changed] Turned off pub access of `chain` in `HelperTemplate` </details> <details> <summary>nagisa/rust_libloading (libloading)</summary> ### [`v0.8.3`](https://togithub.com/nagisa/rust_libloading/compare/0.8.2...0.8.3) [Compare Source](https://togithub.com/nagisa/rust_libloading/compare/0.8.2...0.8.3) ### [`v0.8.2`](https://togithub.com/nagisa/rust_libloading/compare/0.8.1...0.8.2) [Compare Source](https://togithub.com/nagisa/rust_libloading/compare/0.8.1...0.8.2) </details> <details> <summary>BurntSushi/memchr (memchr)</summary> ### [`v2.7.2`](https://togithub.com/BurntSushi/memchr/compare/2.7.1...2.7.2) [Compare Source](https://togithub.com/BurntSushi/memchr/compare/2.7.1...2.7.2) </details> <details> <summary>stanislav-tkach/os_info (os_info)</summary> ### [`v3.8.2`](https://togithub.com/stanislav-tkach/os_info/blob/HEAD/CHANGELOG.md#382-2024-03-22) [Compare Source](https://togithub.com/stanislav-tkach/os_info/compare/v3.8.1...v3.8.2) - Build on FreeSBD has been fixed once again. ([#​377](https://togithub.com/stanislav-tkach/os_info/issues/377)) ### [`v3.8.1`](https://togithub.com/stanislav-tkach/os_info/blob/HEAD/CHANGELOG.md#381-2024-03-17) [Compare Source](https://togithub.com/stanislav-tkach/os_info/compare/v3.8.0...v3.8.1) - Build on FreeSBD has been fixed. ([#​372](https://togithub.com/stanislav-tkach/os_info/issues/372)) - Build on Illumos has been fixed. ([#​373](https://togithub.com/stanislav-tkach/os_info/issues/373)) - Build on NetBSD has been fixed. ([#​374](https://togithub.com/stanislav-tkach/os_info/issues/374)) - Few more regressions introduced in the `3.8.0` release were (hopefully) fixed. ### [`v3.8.0`](https://togithub.com/stanislav-tkach/os_info/blob/HEAD/CHANGELOG.md#380-2024-03-12) [Compare Source](https://togithub.com/stanislav-tkach/os_info/compare/v3.7.0...v3.8.0) - The `windows-sys` crate instead of `winapi` is now used internally. ([#​341](https://togithub.com/stanislav-tkach/os_info/issues/341)) - Architecture information for Windows targets has been added. ([#​345](https://togithub.com/stanislav-tkach/os_info/issues/345)) - Artix Linux detection has been fixed. ([#​348](https://togithub.com/stanislav-tkach/os_info/issues/348)) - AIX support has been added. ([#​349](https://togithub.com/stanislav-tkach/os_info/issues/349)) - Kali Linux support has been added. ([#​350](https://togithub.com/stanislav-tkach/os_info/issues/350)) - openSUSE Tumbleweed detection has been fixed. ([#​353](https://togithub.com/stanislav-tkach/os_info/issues/353)) - Version parsing from `lsb_release` has been added. ([#​354](https://togithub.com/stanislav-tkach/os_info/issues/354)) - HardenedBSD detection has been fixed. ([#​358](https://togithub.com/stanislav-tkach/os_info/issues/358)) - Ultramarine Linux support has been added. ([#​359](https://togithub.com/stanislav-tkach/os_info/issues/359)) - AlmaLinux and Rocky Linux support has been added. ([#​360](https://togithub.com/stanislav-tkach/os_info/issues/360)) - Ultramarine Linux support has been added. ([#​363](https://togithub.com/stanislav-tkach/os_info/issues/363)) - Void Linux support has been added. ([#​365](https://togithub.com/stanislav-tkach/os_info/issues/365)) </details> <details> <summary>raphlinus/pulldown-cmark (pulldown-cmark)</summary> ### [`v0.10.2`](https://togithub.com/pulldown-cmark/pulldown-cmark/releases/tag/v0.10.2) New release with some fixes and improvements. Note the 0.10.1 is missing (yanked from crates.io) due to a conflict with the clap version and the Rust minimum version (1.74 now instead of 1.70). Thanks to all people that contributed to this release! #### What's Changed - Limit link def expansion by [`@​notriddle](https://togithub.com/notriddle)` in [pulldown-cmark/pulldown-cmark#845 - Do not look for HTML tags that start with backslash by [`@​notriddle](https://togithub.com/notriddle)` in [pulldown-cmark/pulldown-cmark#849 - Count a blank line at end of indented code block towards list by [`@​notriddle](https://togithub.com/notriddle)` in [pulldown-cmark/pulldown-cmark#851 - Use same limit for refdef as inline links by [`@​notriddle](https://togithub.com/notriddle)` in [pulldown-cmark/pulldown-cmark#854 - Don't exit `scan_attribute` with the ix pointing at block quote by [`@​notriddle](https://togithub.com/notriddle)` in [pulldown-cmark/pulldown-cmark#858 - Check indentation on the closing fence relative to the line by [`@​notriddle](https://togithub.com/notriddle)` in [pulldown-cmark/pulldown-cmark#862 - Adjust strikethrough flanking rule to better fit Rustdoc Crater run by [`@​notriddle](https://togithub.com/notriddle)` in [pulldown-cmark/pulldown-cmark#864 - perf: cargo-wizard default recommendations for runtime perf by [`@​Martin1887](https://togithub.com/Martin1887)` in [pulldown-cmark/pulldown-cmark#868 #### New Contributors - [`@​ehuss](https://togithub.com/ehuss)` made their first contribution in [pulldown-cmark/pulldown-cmark#848 - [`@​jimblandy](https://togithub.com/jimblandy)` made their first contribution in [pulldown-cmark/pulldown-cmark#865 - [`@​max-heller](https://togithub.com/max-heller)` made their first contribution in [pulldown-cmark/pulldown-cmark#866 - [`@​blinxen](https://togithub.com/blinxen)` made their first contribution in [pulldown-cmark/pulldown-cmark#875 **Full Changelog**: pulldown-cmark/pulldown-cmark@v0.10.0...v0.10.2 </details> <details> <summary>rust-lang/regex (regex)</summary> ### [`v1.10.4`](https://togithub.com/rust-lang/regex/compare/1.10.3...1.10.4) [Compare Source](https://togithub.com/rust-lang/regex/compare/1.10.3...1.10.4) </details> <details> <summary>kornelski/rust-security-framework (security-framework)</summary> ### [`v2.10.0`](https://togithub.com/kornelski/rust-security-framework/compare/v2.9.2...v2.10.0) [Compare Source](https://togithub.com/kornelski/rust-security-framework/compare/v2.9.2...v2.10.0) </details> <details> <summary>serde-rs/json (serde_json)</summary> ### [`v1.0.115`](https://togithub.com/serde-rs/json/releases/tag/v1.0.115) [Compare Source](https://togithub.com/serde-rs/json/compare/v1.0.114...v1.0.115) - Documentation improvements </details> <details> <summary>mitsuhiko/similar (similar)</summary> ### [`v2.5.0`](https://togithub.com/mitsuhiko/similar/blob/HEAD/CHANGELOG.md#250) [Compare Source](https://togithub.com/mitsuhiko/similar/compare/2.4.0...2.5.0) - Added support for `TextDiff::iter_inline_changes_deadline`. [#​61](https://togithub.com/mitsuhiko/similar/issues/61) - Raise MSRV to 1.60. [#​62](https://togithub.com/mitsuhiko/similar/issues/62) - Bump bstr dependency to 1.0. [#​62](https://togithub.com/mitsuhiko/similar/issues/62) </details> <details> <summary>assert-rs/trycmd (snapbox)</summary> ### [`v0.5.9`](https://togithub.com/assert-rs/trycmd/compare/snapbox-v0.5.8...snapbox-v0.5.9) [Compare Source](https://togithub.com/assert-rs/trycmd/compare/snapbox-v0.5.8...snapbox-v0.5.9) ### [`v0.5.8`](https://togithub.com/assert-rs/trycmd/compare/snapbox-v0.5.7...snapbox-v0.5.8) [Compare Source](https://togithub.com/assert-rs/trycmd/compare/snapbox-v0.5.7...snapbox-v0.5.8) </details> <details> <summary>dtolnay/thiserror (thiserror)</summary> ### [`v1.0.58`](https://togithub.com/dtolnay/thiserror/releases/tag/1.0.58) [Compare Source](https://togithub.com/dtolnay/thiserror/compare/1.0.57...1.0.58) - Make backtrace support available when using -Dwarnings ([#​292](https://togithub.com/dtolnay/thiserror/issues/292)) </details> <details> <summary>toml-rs/toml (toml)</summary> ### [`v0.8.12`](https://togithub.com/toml-rs/toml/compare/toml-v0.8.11...toml-v0.8.12) [Compare Source](https://togithub.com/toml-rs/toml/compare/toml-v0.8.11...toml-v0.8.12) ### [`v0.8.11`](https://togithub.com/toml-rs/toml/compare/toml-v0.8.10...toml-v0.8.11) [Compare Source](https://togithub.com/toml-rs/toml/compare/toml-v0.8.10...toml-v0.8.11) </details> <details> <summary>thoren-d/tracing-chrome (tracing-chrome)</summary> ### [`v0.7.2`](https://togithub.com/thoren-d/tracing-chrome/releases/tag/v0.7.2) [Compare Source](https://togithub.com/thoren-d/tracing-chrome/compare/v0.7.1...v0.7.2) - Support platforms that lack `AtomicU64` support. </details> <details> <summary>BurntSushi/walkdir (walkdir)</summary> ### [`v2.5.0`](https://togithub.com/BurntSushi/walkdir/compare/2.4.0...2.5.0) [Compare Source](https://togithub.com/BurntSushi/walkdir/compare/2.4.0...2.5.0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 5am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/rust-lang/cargo). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIn0=-->
](https://renovatebot.com){kind=link}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #844
Before
After