Skip to content

fix: limit extends chain depth to prevent stack overflow DoS #80

Open
Open
fix: limit extends chain depth to prevent stack overflow DoS#80
Labels
effort:SA few hoursprio:P1Highstatus:readyTriaged and ready to be worked ontype:securitySecurity issue or hardening
@Jaro-c

Description

@Jaro-c
Jaro-c
opened on Jun 10, 2026

Problem

  1. SEC-005: compose/extends.rs resolution is unbounded — a deeply nested extends: chain (or cross-file chain) causes a stack overflow, crashing the process (DoS).
  2. EXT-001: Cross-file circular extends: (A.yml:svc extends B.yml:svc extends A.yml:svc) is not detected and causes unbounded recursion.

Fix

Add a depth counter to resolve_one_extends and resolve_one_extends_in_memory. Return Err(ComposeError::Extends(...)) when depth exceeds 16.

The same depth limit naturally caps cross-file circular chains.

Metadata

Metadata

Assignees

No one assigned

    Labels

    effort:SA few hoursprio:P1Highstatus:readyTriaged and ready to be worked ontype:securitySecurity issue or hardening

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions