encoding/prototext: implement recursion limit

Fixes golang/protobuf#1705

For protocolbuffers/protobuf#25068

Change-Id: I11b6fd51a71cd2ba413ca4d4ef2a2eb49710f9ee
Reviewed-on: https://go-review.googlesource.com/c/protobuf/+/734761
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Lasse Folger <lassefolger@google.com>

Author: stapelberg

encoding/prototext/decode.go

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"unicode/utf8"
 
+	"google.golang.org/protobuf/encoding/protowire"
 	"google.golang.org/protobuf/internal/encoding/messageset"
 	"google.golang.org/protobuf/internal/encoding/text"
 	"google.golang.org/protobuf/internal/errors"
@@ -49,12 +50,19 @@ type UnmarshalOptions struct {
 		protoregistry.MessageTypeResolver
 		protoregistry.ExtensionTypeResolver
 	}
+
+	// RecursionLimit limits how deeply messages may be nested.
+	// If zero, a default limit is applied.
+	RecursionLimit int
 }
 
 // Unmarshal reads the given []byte and populates the given [proto.Message]
 // using options in the UnmarshalOptions object.
 // The provided message must be mutable (e.g., a non-nil pointer to a message).
 func (o UnmarshalOptions) Unmarshal(b []byte, m proto.Message) error {
+	if o.RecursionLimit == 0 {
+		o.RecursionLimit = protowire.DefaultRecursionLimit
+	}
 	return o.unmarshal(b, m)
 }
 
@@ -102,8 +110,14 @@ func (d decoder) syntaxError(pos int, f string, x ...any) error {
 	return errors.New(head+f, x...)
 }
 
+var errRecursionDepth = errors.New("exceeded maximum recursion depth")
+
 // unmarshalMessage unmarshals into the given protoreflect.Message.
 func (d decoder) unmarshalMessage(m protoreflect.Message, checkDelims bool) error {
+	if d.opts.RecursionLimit--; d.opts.RecursionLimit < 0 {
+		return errRecursionDepth
+	}
+
 	messageDesc := m.Descriptor()
 	if !flags.ProtoLegacy && messageset.IsMessageSet(messageDesc) {
 		return errors.New("no support for proto1 MessageSets")
@@ -437,6 +451,10 @@ func (d decoder) unmarshalList(fd protoreflect.FieldDescriptor, list protoreflec
 // unmarshalMap unmarshals into given protoreflect.Map. A map value is a
 // textproto message containing {key: <kvalue>, value: <mvalue>}.
 func (d decoder) unmarshalMap(fd protoreflect.FieldDescriptor, mmap protoreflect.Map) error {
+	if d.opts.RecursionLimit--; d.opts.RecursionLimit < 0 {
+		return errRecursionDepth
+	}
+
 	// Determine ahead whether map entry is a scalar type or a message type in
 	// order to call the appropriate unmarshalMapValue func inside
 	// unmarshalMapEntry.

encoding/prototext/decode_test.go

@@ -1621,6 +1621,74 @@ unknown: ""
 type_url: "pb2.Nested"
 `,
 		wantErr: "(line 3:1): conflict with [pb2.Nested] field",
+	}, {
+		desc:         "just at recursion limit (no submessages)",
+		umo:          prototext.UnmarshalOptions{RecursionLimit: 1},
+		inputMessage: &pbeditions.Nested{},
+		inputText:    `opt_string: "hey"`,
+	}, {
+		desc:         "just at recursion limit",
+		umo:          prototext.UnmarshalOptions{RecursionLimit: 3},
+		inputMessage: &pbeditions.Nested{},
+		inputText:    `opt_nested: { opt_nested: { opt_string: "hey" } }`,
+	}, {
+		desc: "just at recursion limit: maps",
+		umo: prototext.UnmarshalOptions{
+			// Maps are syntatic sugar for repeated fields of a synthetic
+			// message type (with key as field 1, value as field 2).
+			RecursionLimit: 2,
+		},
+		inputMessage: &pbeditions.Maps{},
+		inputText:    `str_to_nested: { key: "missing" }`,
+	}, {
+		desc: "just at recursion limit: maps of messages",
+		umo: prototext.UnmarshalOptions{
+			RecursionLimit: 3,
+		},
+		inputMessage: &pbeditions.Maps{},
+		inputText: `str_to_nested: {
+  key: "missing"
+}
+str_to_nested: {
+  key: "contains"
+  value: {
+    opt_string: "here"
+  }
+}
+`,
+	}, {
+		desc:         "exceed recursion limit",
+		umo:          prototext.UnmarshalOptions{RecursionLimit: 1},
+		inputMessage: &pbeditions.Nested{},
+		inputText:    `opt_nested: { opt_string: "hey" }`,
+		wantErr:      "exceeded maximum recursion depth",
+	}, {
+		desc: "exceed recursion limit: maps",
+		umo: prototext.UnmarshalOptions{
+			// Maps are syntatic sugar for repeated fields of a synthetic
+			// message type (with key as field 1, value as field 2).
+			RecursionLimit: 1,
+		},
+		inputMessage: &pbeditions.Maps{},
+		inputText:    `str_to_nested: { key: "missing" }`,
+		wantErr:      "exceeded maximum recursion depth",
+	}, {
+		desc: "exceed recursion limit: maps of messages",
+		umo: prototext.UnmarshalOptions{
+			RecursionLimit: 2,
+		},
+		inputMessage: &pbeditions.Maps{},
+		inputText: `str_to_nested: {
+  key: "missing"
+}
+str_to_nested: {
+  key: "contains"
+  value: {
+    opt_string: "here"
+  }
+}
+`,
+		wantErr: "exceeded maximum recursion depth",
 	}}
 
 	for _, msg := range makeMessages(protobuild.Message{},