Add max_delimiters_per_line config option

colinodell · colinodell · commit 51567969678a · 2024-12-07T10:17:04.000-05:00
diff --git a/.phpstorm.meta.php b/.phpstorm.meta.php
@@ -31,6 +31,7 @@
         'html_input',
         'allow_unsafe_links',
         'max_nesting_level',
+        'max_delimiters_per_line',
         'renderer',
         'renderer/block_separator',
         'renderer/inner_separator',
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,9 +8,14 @@ Updates should follow the [Keep a CHANGELOG](https://keepachangelog.com/) princi
 
 ### Added
 
+- Added `max_delimiters_per_line` config option to prevent denial of service attacks when parsing malicious input
+- Added `table/max_autocompleted_cells` config option to prevent denial of service attacks when parsing large tables
+- The `AttributesExtension` now supports attributes without values (#985, #986)
+- The `AutolinkExtension` exposes two new configuration options to override the default behavior (#969, #987):
+    - `autolink/allowed_protocols` - an array of protocols to allow autolinking for
+    - `autolink/default_protocol` - the default protocol to use when none is specified
 - Added `RegexHelper::isWhitespace()` method to check if a given character is an ASCII whitespace character
 - Added `CacheableDelimiterProcessorInterface` to ensure linear complexity for dynamic delimiter processing
-- Added `table/max_autocompleted_cells` config option to prevent denial of service attacks when parsing large tables
 - Added `Bracket` delimiter type to optimize bracket parsing
 
 ### Changed
diff --git a/docs/2.5/configuration.md b/docs/2.5/configuration.md
@@ -27,6 +27,7 @@ $config = [
     'html_input' => 'escape',
     'allow_unsafe_links' => false,
     'max_nesting_level' => PHP_INT_MAX,
+    'max_delimiters_per_line' => PHP_INT_MAX,
     'slug_normalizer' => [
         'max_length' => 255,
     ],
@@ -73,6 +74,7 @@ Here's a list of the core configuration options available:
   - `escape` - Escape all HTML
 - `allow_unsafe_links` - Remove risky link and image URLs by setting this to `false` (default: `true`)
 - `max_nesting_level` - The maximum nesting level for blocks (default: `PHP_INT_MAX`). Setting this to a positive integer can help protect against long parse times and/or segfaults if blocks are too deeply-nested.
+- `max_delimiters_per_line` - The maximum number of delimiters (e.g. `*` or `_`) allowed in a single line (default: `PHP_INT_MAX`). Setting this to a positive integer can help protect against long parse times and/or segfaults if lines are too long.
 - `slug_normalizer` - Array of options for configuring how URL-safe slugs are created; see [the slug normalizer docs](/2.5/customization/slug-normalizer/#configuration) for more details
   - `instance` - An alternative normalizer to use (defaults to the included `SlugNormalizer`)
   - `max_length` - Limits the size of generated slugs (defaults to 255 characters)
diff --git a/docs/2.5/security.md b/docs/2.5/security.md
@@ -11,7 +11,8 @@ In order to be fully compliant with the CommonMark spec, certain security settin
 
 - `html_input`: How to handle raw HTML
 - `allow_unsafe_links`: Whether unsafe links are permitted
-- `max_nesting_level`: Protected against long render times or segfaults
+- `max_nesting_level`: Protect against long render times or segfaults
+- `max_delimiters_per_line`: Protect against long parse times or rendering segfaults
 
 Further information about each option can be found below.
 
@@ -88,6 +89,25 @@ echo $converter->convert($markdown);
 
 See the [configuration](/2.5/configuration/) section for more information.
 
+## Max Delimiters Per Line
+
+Similarly to the maximum nesting level, **no maximum number of delimiters per line is enforced by default.**  Delimiters can be nested (like `*a **b** c*`) or un-nested (like `*a* *b* *c*`) - in either case, having too many in a single line can result in long parse times. We therefore have a separate option to limit the number of delimiters per line.
+
+If you need to parse untrusted input, consider setting a reasonable `max_delimiters_per_line` (perhaps 100-1000) depending on your needs.  Once this level is hit, any subsequent delimiters on that line will be rendered as plain text.
+
+### Example - Prevent too many delimiters
+
+```php
+use League\CommonMark\CommonMarkConverter;
+
+$markdown = '*a* **b *c **d** c* b**'; // 8 delimiters (* and **)
+
+$converter = new CommonMarkConverter(['max_delimiters_per_line' => 6]);
+echo $converter->convert($markdown);
+
+// <p><em>a</em> **b *c <strong>d</strong> c* b**</p>
+```
+
 ## Additional Filtering
 
 Although this library does offer these security features out-of-the-box, some users may opt to also run the HTML output through additional filtering layers (like HTMLPurifier).  If you do this, make sure you **thoroughly** test your additional post-processing steps and configure them to work properly with the types of HTML elements and attributes that converted Markdown might produce, otherwise, you may end up with weird behavior like missing images, broken links, mismatched HTML tags, etc.
diff --git a/docs/2.6/upgrading.md b/docs/2.6/upgrading.md
@@ -7,6 +7,13 @@ redirect_from: /upgrading/
 
 # Upgrading from 2.5 to 2.6
 
+## `max_delimiters_per_line` Configuration Option
+
+The `max_delimiters_per_line` configuration option was added in 2.6 to help protect against malicious input that could
+cause excessive memory usage or denial of service attacks.  It defaults to `PHP_INT_MAX` (no limit) for backwards
+compatibility, which is safe when parsing trusted input. However, if you're parsing untrusted input from users, you
+should probably set this to a reasonable value (somewhere between `100` and `1000`) to protect against malicious inputs.
+
 ## Custom Delimiter Processors
 
 If you're implementing a custom delimiter processor, and `getDelimiterUse()` has more logic than just a
diff --git a/src/Delimiter/DelimiterStack.php b/src/Delimiter/DelimiterStack.php
@@ -39,8 +39,13 @@ final class DelimiterStack
      */
     private $missingIndexCache;
 
-    public function __construct()
+
+    private int $remainingDelimiters = 0;
+
+    public function __construct(int $maximumStackSize = PHP_INT_MAX)
     {
+        $this->remainingDelimiters = $maximumStackSize;
+
         if (\PHP_VERSION_ID >= 80000) {
             /** @psalm-suppress PropertyTypeCoercion */
             $this->missingIndexCache = new \WeakMap(); // @phpstan-ignore-line
@@ -51,6 +56,10 @@ public function __construct()
 
     public function push(DelimiterInterface $newDelimiter): void
     {
+        if ($this->remainingDelimiters-- <= 0) {
+            return;
+        }
+
         $newDelimiter->setPrevious($this->top);
 
         if ($this->top !== null) {
diff --git a/src/Environment/Environment.php b/src/Environment/Environment.php
@@ -432,6 +432,7 @@ public static function createDefaultConfiguration(): Configuration
             'html_input' => Expect::anyOf(HtmlFilter::STRIP, HtmlFilter::ALLOW, HtmlFilter::ESCAPE)->default(HtmlFilter::ALLOW),
             'allow_unsafe_links' => Expect::bool(true),
             'max_nesting_level' => Expect::type('int')->default(PHP_INT_MAX),
+            'max_delimiters_per_line' => Expect::type('int')->default(PHP_INT_MAX),
             'renderer' => Expect::structure([
                 'block_separator' => Expect::string("\n"),
                 'inner_separator' => Expect::string("\n"),
diff --git a/src/Parser/InlineParserContext.php b/src/Parser/InlineParserContext.php
@@ -42,12 +42,12 @@ final class InlineParserContext
      */
     private array $matches;
 
-    public function __construct(Cursor $contents, AbstractBlock $container, ReferenceMapInterface $referenceMap)
+    public function __construct(Cursor $contents, AbstractBlock $container, ReferenceMapInterface $referenceMap, int $maxDelimitersPerLine = PHP_INT_MAX)
     {
         $this->referenceMap   = $referenceMap;
         $this->container      = $container;
         $this->cursor         = $contents;
-        $this->delimiterStack = new DelimiterStack();
+        $this->delimiterStack = new DelimiterStack($maxDelimitersPerLine);
     }
 
     public function getContainer(): AbstractBlock
diff --git a/src/Parser/InlineParserEngine.php b/src/Parser/InlineParserEngine.php
@@ -59,7 +59,7 @@ public function parse(string $contents, AbstractBlock $block): void
         $contents = \trim($contents);
         $cursor   = new Cursor($contents);
 
-        $inlineParserContext = new InlineParserContext($cursor, $block, $this->referenceMap);
+        $inlineParserContext = new InlineParserContext($cursor, $block, $this->referenceMap, $this->environment->getConfiguration()->get('max_delimiters_per_line'));
 
         // Have all parsers look at the line to determine what they might want to parse and what positions they exist at
         foreach ($this->matchParsers($contents) as $matchPosition => $parsers) {
diff --git a/tests/functional/MaxDelimitersPerLineTest.php b/tests/functional/MaxDelimitersPerLineTest.php
@@ -0,0 +1,50 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of the league/commonmark package.
+ *
+ * (c) Colin O'Dell <colinodell@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace League\CommonMark\Tests\Functional;
+
+use League\CommonMark\CommonMarkConverter;
+use PHPUnit\Framework\TestCase;
+
+final class MaxDelimitersPerLineTest extends TestCase
+{
+    /**
+     * @dataProvider provideTestCases
+     */
+    public function testIt(string $input, int $maxDelimsPerLine, string $expectedOutput): void
+    {
+        $converter = new CommonMarkConverter(['max_delimiters_per_line' => $maxDelimsPerLine]);
+
+        $this->assertEquals($expectedOutput, \trim($converter->convert($input)->getContent()));
+    }
+
+    /**
+     * @return iterable<array<mixed>>
+     */
+    public function provideTestCases(): iterable
+    {
+        yield ['*a* **b *c* b**', 6, '<p><em>a</em> <strong>b <em>c</em> b</strong></p>'];
+
+        yield ['*a* **b *c **d** c* b**', 0, '<p>*a* **b *c **d** c* b**</p>'];
+        yield ['*a* **b *c **d** c* b**', 1, '<p>*a* **b *c **d** c* b**</p>'];
+        yield ['*a* **b *c **d** c* b**', 2, '<p><em>a</em> **b *c **d** c* b**</p>'];
+        yield ['*a* **b *c **d** c* b**', 3, '<p><em>a</em> **b *c **d** c* b**</p>'];
+        yield ['*a* **b *c **d** c* b**', 4, '<p><em>a</em> **b *c **d** c* b**</p>'];
+        yield ['*a* **b *c **d** c* b**', 5, '<p><em>a</em> **b *c **d** c* b**</p>'];
+        yield ['*a* **b *c **d** c* b**', 6, '<p><em>a</em> **b *c <strong>d</strong> c* b**</p>'];
+        yield ['*a* **b *c **d** c* b**', 7, '<p><em>a</em> **b <em>c <strong>d</strong> c</em> b**</p>'];
+        yield ['*a* **b *c **d** c* b**', 8, '<p><em>a</em> <strong>b <em>c <strong>d</strong> c</em> b</strong></p>'];
+        yield ['*a* **b *c **d** c* b**', 9, '<p><em>a</em> <strong>b <em>c <strong>d</strong> c</em> b</strong></p>'];
+        yield ['*a* **b *c **d** c* b**', 100, '<p><em>a</em> <strong>b <em>c <strong>d</strong> c</em> b</strong></p>'];
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -42,12 +42,12 @@ final class InlineParserContext`
`42`	`42`	`*/`
`43`	`43`	`private array $matches;`
`44`	`44`
`45`		`- public function __construct(Cursor $contents, AbstractBlock $container, ReferenceMapInterface $referenceMap)`
	`45`	`+ public function __construct(Cursor $contents, AbstractBlock $container, ReferenceMapInterface $referenceMap, int $maxDelimitersPerLine = PHP_INT_MAX)`
`46`	`46`	`{`
`47`	`47`	`$this->referenceMap = $referenceMap;`
`48`	`48`	`$this->container = $container;`
`49`	`49`	`$this->cursor = $contents;`
`50`		`- $this->delimiterStack = new DelimiterStack();`
	`50`	`+ $this->delimiterStack = new DelimiterStack($maxDelimitersPerLine);`
`51`	`51`	`}`
`52`	`52`
`53`	`53`	`public function getContainer(): AbstractBlock`