Jens Geyer created THRIFT-6037:
----------------------------------
Summary: Harden JavaScript (browser) protocol negative sizes
Key: THRIFT-6037
URL: https://issues.apache.org/jira/browse/THRIFT-6037
Project: Thrift
Issue Type: Bug
Components: JavaScript - Library
Reporter: Jens Geyer
The JavaScript browser library (lib/js/src/thrift.js) does not validate
negative sizes when reading Thrift payloads.
The TProtocolException.NEGATIVE_SIZE constant (value 2) is defined in the
library but is never used in any read path. The readMapBegin, readListBegin,
and readSetBegin implementations do not check the parsed size for negative
values before returning it to generated deserialization code.
This is a protocol hardening gap compared with Node.js (which does raise a
NEGATIVE_SIZE exception) and other runtimes such as C++, Java, Python, and Go.
The fix should add negative-size checks in the JSON/binary protocol read paths
and make use of the existing NEGATIVE_SIZE error code.
See THRIFT-6025 for the equivalent Ruby fix.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
