bdemers opened a new pull request, #1126: URL: https://github.com/apache/directory-scimple/pull/1126
## What A small, deeply nested SCIM filter or PATCH path (e.g. `(((( … ))))` — a few KB of nested groups) recursed through the ANTLR grammar until the request thread threw `StackOverflowError`. This adds a nesting-depth cap to both parse entry points: - New `FilterParsers` facade shared by `Filter.parseFilter` and `PatchOperationPath.parsePatchPath`. It attaches a parse listener that counts entries into the recursive `filterExpression` / `attributeExpression` grammar rules and rejects input nested beyond `FilterParsers.MAX_NESTING_DEPTH` (40) with a `FilterParseException` — thrown *during* parsing, before the stack can overflow (it does not rely on catching `StackOverflowError`). - Both parse-error messages no longer echo the raw input string back to the caller. ## Tests - `FilterParsersTest` and `PatchPathParsingTest`: over-limit nesting (including a 1,000-group input) is rejected quickly with `FilterParseException` and no `StackOverflowError`; at-limit input still parses; malformed input still yields `FilterParseException`; null input is handled. - Full `-Pci install` build is green across all modules on JDK 17. ## Notes - `THREAT_MODEL.md` / `threat-model.yaml` will be updated separately to move the parser-depth item from a known gap to provided. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
