aboutsummaryrefslogtreecommitdiffstats
path: root/contrib/libucl
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/libucl')
-rw-r--r--contrib/libucl/lua_ucl.c12
-rw-r--r--contrib/libucl/ucl.h20
-rw-r--r--contrib/libucl/ucl_parser.c10
-rw-r--r--contrib/libucl/ucl_util.c32
4 files changed, 67 insertions, 7 deletions
diff --git a/contrib/libucl/lua_ucl.c b/contrib/libucl/lua_ucl.c
index 473aefe0c..13306b942 100644
--- a/contrib/libucl/lua_ucl.c
+++ b/contrib/libucl/lua_ucl.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2024 Vsevolod Stakhov
+ * Copyright 2025 Vsevolod Stakhov
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -694,7 +694,13 @@ static int
lua_ucl_parser_init(lua_State *L)
{
struct ucl_parser *parser, **pparser;
- int flags = UCL_PARSER_NO_FILEVARS;
+ /*
+ * We disable file variables and macros by default, as
+ * the most use cases are parsing of JSON and not of the real
+ * files. Macros in the parser are very dangerous and should be used
+ * for trusted data only.
+ */
+ int flags = UCL_PARSER_SAFE_FLAGS;
if (lua_gettop(L) >= 1) {
flags = lua_tonumber(L, 1);
@@ -1091,7 +1097,7 @@ lua_ucl_parser_validate(lua_State *L)
}
}
else if (lua_type(L, 2) == LUA_TSTRING) {
- schema_parser = ucl_parser_new(0);
+ schema_parser = ucl_parser_new(UCL_PARSER_SAFE_FLAGS);
schema_file = luaL_checkstring(L, 2);
if (!ucl_parser_add_file(schema_parser, schema_file)) {
diff --git a/contrib/libucl/ucl.h b/contrib/libucl/ucl.h
index b6b9f44c0..8c2ac59a4 100644
--- a/contrib/libucl/ucl.h
+++ b/contrib/libucl/ucl.h
@@ -1,3 +1,19 @@
+/*
+ * Copyright 2025 Vsevolod Stakhov
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
/* Copyright (c) 2013-2015, Vsevolod Stakhov
* All rights reserved.
*
@@ -159,6 +175,10 @@ typedef enum ucl_parser_flags {
UCL_PARSER_NO_FILEVARS = (1 << 6) /** Do not set file vars */
} ucl_parser_flags_t;
+#define UCL_PARSER_SAFE_FLAGS (UCL_PARSER_NO_TIME | \
+ UCL_PARSER_NO_IMPLICIT_ARRAYS | \
+ UCL_PARSER_DISABLE_MACRO | \
+ UCL_PARSER_NO_FILEVARS)
/**
* String conversion flags, that are used in #ucl_object_fromstring_common function.
*/
diff --git a/contrib/libucl/ucl_parser.c b/contrib/libucl/ucl_parser.c
index 6be16d121..e56a010ff 100644
--- a/contrib/libucl/ucl_parser.c
+++ b/contrib/libucl/ucl_parser.c
@@ -1246,10 +1246,12 @@ ucl_parser_process_object_element (struct ucl_parser *parser, ucl_object_t *nobj
container = parser->stack->obj->value.ov;
DL_FOREACH (parser->stack->obj, cur) {
- tobj = __DECONST (ucl_object_t *, ucl_hash_search_obj (cur->value.ov, nobj));
+ if (cur->type == UCL_OBJECT) {
+ tobj = __DECONST (ucl_object_t *, ucl_hash_search_obj (cur->value.ov, nobj));
- if (tobj != NULL) {
- break;
+ if (tobj != NULL) {
+ break;
+ }
}
}
@@ -3165,7 +3167,7 @@ ucl_parser_add_string (struct ucl_parser *parser, const char *data,
bool
ucl_set_include_path (struct ucl_parser *parser, ucl_object_t *paths)
{
- if (parser == NULL || paths == NULL) {
+ if (parser == NULL || paths == NULL || paths->type != UCL_ARRAY) {
return false;
}
diff --git a/contrib/libucl/ucl_util.c b/contrib/libucl/ucl_util.c
index b00f2779e..d5b84f6a5 100644
--- a/contrib/libucl/ucl_util.c
+++ b/contrib/libucl/ucl_util.c
@@ -3148,6 +3148,10 @@ ucl_object_frombool (bool bv)
bool
ucl_array_append (ucl_object_t *top, ucl_object_t *elt)
{
+ if (top->type != UCL_ARRAY) {
+ return false;
+ }
+
UCL_ARRAY_GET (vec, top);
if (elt == NULL || top == NULL) {
@@ -3177,6 +3181,10 @@ e0:
bool
ucl_array_prepend (ucl_object_t *top, ucl_object_t *elt)
{
+ if (top->type != UCL_ARRAY) {
+ return false;
+ }
+
UCL_ARRAY_GET (vec, top);
if (elt == NULL || top == NULL) {
@@ -3242,6 +3250,10 @@ e0:
ucl_object_t *
ucl_array_delete (ucl_object_t *top, ucl_object_t *elt)
{
+ if (top->type != UCL_ARRAY) {
+ return NULL;
+ }
+
UCL_ARRAY_GET (vec, top);
ucl_object_t *ret = NULL;
unsigned i;
@@ -3290,6 +3302,10 @@ ucl_array_tail (const ucl_object_t *top)
ucl_object_t *
ucl_array_pop_last (ucl_object_t *top)
{
+ if (top->type != UCL_ARRAY) {
+ return NULL;
+ }
+
UCL_ARRAY_GET (vec, top);
ucl_object_t **obj, *ret = NULL;
@@ -3306,6 +3322,10 @@ ucl_array_pop_last (ucl_object_t *top)
ucl_object_t *
ucl_array_pop_first (ucl_object_t *top)
{
+ if (top->type != UCL_ARRAY) {
+ return NULL;
+ }
+
UCL_ARRAY_GET (vec, top);
ucl_object_t **obj, *ret = NULL;
@@ -3338,6 +3358,10 @@ ucl_array_size (const ucl_object_t *top)
const ucl_object_t *
ucl_array_find_index (const ucl_object_t *top, unsigned int index)
{
+ if (top->type != UCL_ARRAY) {
+ return NULL;
+ }
+
UCL_ARRAY_GET (vec, top);
if (vec != NULL && vec->n > 0 && index < vec->n) {
@@ -3350,6 +3374,10 @@ ucl_array_find_index (const ucl_object_t *top, unsigned int index)
unsigned int
ucl_array_index_of (ucl_object_t *top, ucl_object_t *elt)
{
+ if (top->type != UCL_ARRAY) {
+ return (unsigned int)(-1);
+ }
+
UCL_ARRAY_GET (vec, top);
unsigned i;
@@ -3370,6 +3398,10 @@ ucl_object_t *
ucl_array_replace_index (ucl_object_t *top, ucl_object_t *elt,
unsigned int index)
{
+ if (top->type != UCL_ARRAY) {
+ return NULL;
+ }
+
UCL_ARRAY_GET (vec, top);
ucl_object_t *ret = NULL;
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-09 13:56:22 +0000