RUBY-3869 Validate Binary subtype 0x02 outer/inner length on decode#370
Draft
comandeo-mongo wants to merge 1 commit intomongodb:masterfrom
Draft
RUBY-3869 Validate Binary subtype 0x02 outer/inner length on decode#370comandeo-mongo wants to merge 1 commit intomongodb:masterfrom
comandeo-mongo wants to merge 1 commit intomongodb:masterfrom
Conversation
Cross-check that the inner length equals outer_length - 4, and reject negative outer/inner lengths up front. Both raise BSON::Error::BSONDecodeError with explicit messages. Without the check, malformed payloads were caught only by incidental side effects (next-field-type misalignment or get_bytes overrun in the C extension). Matches the behavior already implemented in the Python driver (bson/__init__.py::_get_binary).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
BSON::Binary.from_bsondid not cross-check the outer/inner length fields for subtype 0x02 (:old), and never explicitly rejected negative lengths. Malformed payloads were caught only by incidental effects (the leftover bytes happening to misalign the next-field type byte, or a wrap-around triggering the Cget_bytesoverrun guard).This change adds an explicit cross-check (
inner_length == outer_length - 4) and an explicit negative-length guard, both raisingBSON::Error::BSONDecodeErrorwith a clear message.What changed
lib/bson/binary.rb—from_bsonnow raises on length mismatch and negative length instead of relying on incidental rejection.spec/bson/binary_spec.rb— unit specs covering the four error paths (inner too long, inner too short, inner negative, non-old outer negative). The bson-corpus tests assert only that something raises; these tests pin the exact error class and message.Cross-driver reference
Matches the existing Python driver behavior in
bson/__init__.py::_get_binary:Test plan
bundle exec rspec spec/bson/binary_spec.rb spec/spec_tests/corpus_spec.rb— 2613 examples, 0 failures.bundle exec rubocop lib/bson/binary.rb spec/bson/binary_spec.rb— no offenses.Jira
https://jira.mongodb.org/browse/RUBY-3869