Skip to content

monty_to_py and py_to_monty conversions lack recursion depth limits #986

Open
Open
monty_to_py and py_to_monty conversions lack recursion depth limits#986
Labels
securitySecurity vulnerability or hardening
@chaliy

Description

@chaliy
chaliy
opened on Apr 2, 2026

Summary

The monty_to_py and py_to_monty conversion functions in the Python bindings recurse without depth limits. In contrast, json_to_py_inner and py_to_json_inner enforce MAX_NESTING_DEPTH = 64. A deeply nested MontyObject (e.g., 10,000-level nested list) returned from embedded Python execution causes a stack overflow.

Severity: Medium
Category: Stack Overflow / DoS (TM-DOS)

Affected Files

  • crates/bashkit-python/src/lib.rs lines 1777-1922

Steps to Reproduce

import bashkit

bash = bashkit.Bash()
# Execute script that creates deeply nested structure via embedded Python
result = bash.exec('''
python3 -c "
import json
d = 'x'
for i in range(5000):
    d = [d]
print(json.dumps(d))
"
''')

Impact

Process crash via stack overflow. Denial of service.

Acceptance Criteria

  • Add depth tracking parameter to monty_to_py and py_to_monty
  • Enforce MAX_NESTING_DEPTH = 64 (consistent with JSON conversion functions)
  • Return PyErr when depth exceeded instead of stack overflow
  • Test: Nested structure at depth 100 is rejected gracefully
  • Test: Nested structure at depth 50 converts successfully

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity vulnerability or hardening

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions