Conversation
This commit addresses a security vulnerability where deeply nested or cyclic JSON objects could cause a stack overflow in `generateMergePatch` and `applyMergePatch`. - Introduces a `MAX_DEPTH` limit of 1000 for recursion in `src/core/json-utils.ts`. - Updates `generateMergePatch` and `applyMergePatch` to throw an error if the depth limit is exceeded. - Adds comprehensive tests in `tests/unit/json_utils_security.test.ts` to verify the fix and ensure no regressions. This change ensures the extension is robust against malicious or accidentally deep JSON structures. Co-authored-by: zknpr <96851588+zknpr@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Summary of ChangesHello @zknpr, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request enhances the robustness of JSON merge patch utilities by introducing a maximum recursion depth. This change prevents potential stack overflow vulnerabilities that could arise from processing excessively deep or cyclically referenced JSON structures during patch generation or application, thereby improving application stability. New tests have been added to validate this fix. Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request effectively addresses a potential stack overflow vulnerability in the JSON merge patch utilities by introducing a recursion depth limit. The changes in generateMergePatch and applyMergePatch are correct and well-implemented. The addition of a new security-focused test suite (json_utils_security.test.ts) is excellent, as it includes regression tests for deep recursion and cyclic references, ensuring the fix is robust. I've suggested some improvements to the new tests to make them more concise by using assert.throws, which is a common pattern for asserting exceptions in Node.js tests.
| try { | ||
| generateMergePatch(original, modified); | ||
| assert.fail('Should have thrown depth limit error'); | ||
| } catch (e: any) { | ||
| assert.match(e.message, /JSON merge patch depth limit exceeded/); | ||
| } |
There was a problem hiding this comment.
For better readability and conciseness, you can use assert.throws() to verify that a function throws an error. This avoids the need for a try...catch block and assert.fail().
For example:
assert.throws(
() => generateMergePatch(original, modified),
/JSON merge patch depth limit exceeded/
);| try { | ||
| applyMergePatch(target, patch); | ||
| assert.fail('Should have thrown depth limit error'); | ||
| } catch (e: any) { | ||
| assert.match(e.message, /JSON apply merge patch depth limit exceeded/); | ||
| } |
There was a problem hiding this comment.
Similar to the previous test, you can use assert.throws() here for a more concise assertion. This will also resolve the inconsistent indentation within the try...catch block.
For example:
assert.throws(
() => applyMergePatch(target, patch),
/JSON apply merge patch depth limit exceeded/
);| try { | ||
| generateMergePatch(original, modified); | ||
| assert.fail('Should have thrown depth limit error'); | ||
| } catch (e: any) { | ||
| assert.match(e.message, /JSON merge patch depth limit exceeded/); | ||
| } |
There was a problem hiding this comment.
You can also simplify this test case by using assert.throws(). This will also resolve the inconsistent indentation within the try...catch block.
For example:
assert.throws(
() => generateMergePatch(original, modified),
/JSON merge patch depth limit exceeded/
);
|
Merged as part of v1.3.0 release in PR #65 |
Thank you for the update. I am glad to hear the security fix has been included in the v1.3.0 release. |
1 participant
Fixed a recursive stack overflow vulnerability in JSON merge patch utilities by implementing a maximum recursion depth check. Added regression tests to verify the fix.
PR created automatically by Jules for task 10449259625165348147 started by @zknpr