Copilot commented on code in PR #3854: URL: https://github.com/apache/avro/pull/3854#discussion_r3567333453
########## lang/c++/test/DecompressionLimitTests.cc: ########## @@ -0,0 +1,173 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// AVRO-4285: a data-file block is decompressed according to the file's codec. A +// block with a very high compression ratio (or a malformed block) can expand to +// far more memory than its compressed size. Reading such a block must be +// rejected once its decompressed size would exceed the configured maximum, which +// these tests set to a small value via AVRO_MAX_DECOMPRESS_LENGTH. + +#include <cstdlib> +#include <filesystem> +#include <optional> +#include <sstream> +#include <string> + +#include <boost/test/included/unit_test.hpp> + +#include "Compiler.hh" +#include "DataFile.hh" +#include "Exception.hh" +#include "ValidSchema.hh" + +namespace avro { + +static void setDecompressLimit(const char *value) { +#ifdef _WIN32 + _putenv_s("AVRO_MAX_DECOMPRESS_LENGTH", value); +#else + setenv("AVRO_MAX_DECOMPRESS_LENGTH", value, 1); +#endif +} + +static void unsetDecompressLimit() { +#ifdef _WIN32 + _putenv_s("AVRO_MAX_DECOMPRESS_LENGTH", ""); +#else + unsetenv("AVRO_MAX_DECOMPRESS_LENGTH"); +#endif +} + +// Saves AVRO_MAX_DECOMPRESS_LENGTH on construction and restores it on +// destruction, so a test's override does not leak into other test cases that +// share the process. +struct DecompressLimitGuard { + std::optional<std::string> previous; + DecompressLimitGuard() { + const char *env = std::getenv("AVRO_MAX_DECOMPRESS_LENGTH"); + if (env != nullptr) { + previous = std::string(env); + } + } + ~DecompressLimitGuard() { + if (previous) { + setDecompressLimit(previous->c_str()); + } else { + unsetDecompressLimit(); + } + } +}; + +static ValidSchema stringSchema() { + std::istringstream iss("\"string\""); + ValidSchema vs; + compileJsonSchema(iss, vs); + return vs; +} + +static std::string tempFile(const char *name) { + return (std::filesystem::temp_directory_path() / name).string(); +} + +// Write a single, highly compressible value with the given codec, then read it +// back with a small decompression limit and confirm the read is rejected. +static void checkCodecRejectsOversized(Codec codec, const char *name) { + DecompressLimitGuard guard; + ValidSchema schema = stringSchema(); + std::string path = tempFile(name); + std::string big(4 * 1024 * 1024, 'a'); // 4 MiB, compresses tiny + + // Let any writer exception propagate: a failure here is a real problem + // (e.g. permissions or I/O), not a reason to silently skip. Codecs that are + // not compiled in are excluded via the #ifdef guards on the callers below. + { + DataFileWriter<std::string> writer(path.c_str(), schema, 64 * 1024 * 1024, codec); + writer.write(big); + writer.close(); + } + + setDecompressLimit("1048576"); // 1 MiB, smaller than the 4 MiB block + + bool rejected = false; + try { + DataFileReader<std::string> reader(path.c_str(), schema); + std::string out; + reader.read(out); // triggers block decompression + } catch (const Exception &) { + rejected = true; + } + std::filesystem::remove(path); + BOOST_CHECK_MESSAGE(rejected, std::string("codec not bounded: ") + name); Review Comment: `checkCodecRejectsOversized()` treats any thrown `avro::Exception` as a successful “over-limit rejection”. This can create false positives (e.g., if the reader fails for an unrelated reason like file I/O/corruption), and the test would still pass. Capture the exception and assert it is specifically the decompression-limit failure (e.g., by checking the message prefix/substr). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
