[3.14] gh-90949: expose Expat API to tune exponential expansion protections (GH-139368)

[StanFromIreland]

Expose the XML Expat 2.7.2 APIs to tune protections against "billion laughs" 1 attacks.

The exposed APIs are available on Expat parsers, that is, parsers created by xml.parsers.expat.ParserCreate(), as:

• parser.SetBillionLaughsAttackProtectionActivationThreshold(threshold), and
• parser.SetBillionLaughsAttackProtectionMaximumAmplification(max_factor).

This completes the work in f04bea4, and improves the existing related documentation.

• Issue: Expose Expat XML attack protection APIs #90949

[read-the-docs-community]

Documentation build overview

📚 cpython-previews | 🛠️ Build #33057152 | 📁 Comparing a35a24a against main (8ab7b43)

  🔍 Preview build  

393 files changed · ± 376 modified · - 17 deleted

± Modified

• about.html
• bugs.html
• index.html
• license.html
• py-modindex.html
• c-api/allocation.html
• c-api/apiabiversion.html
• c-api/arg.html
• c-api/buffer.html
• c-api/bytes.html
• and 366 more...

- Deleted

• _static/tachyon-example-flamegraph.html
• _static/tachyon-example-heatmap.html
• c-api/sentinel.html
• c-api/slots.html
• deprecations/c-api-pending-removal-in-3.19.html
• deprecations/c-api-pending-removal-in-3.20.html
• deprecations/pending-removal-in-3.20.html
• deprecations/pending-removal-in-3.21.html
• deprecations/soft-deprecations.html
• extending/first-extension-module.html
• and 7 more...

[picnixz]

I think we had a recent issue where this check was not sufficient and tests needed to be disabled in another way using hasattr() checks. Can you check how it's currently done on main please?

[StanFromIreland]

It's identical on main?

cpython/Lib/test/test_pyexpat.py

Lines 1265 to 1266 in d8ff4f8

	@unittest.skipIf(expat.version_info < (2, 4, 0), "requires Expat >= 2.4.0")
	class ExpansionProtectionTest(AttackProtectionTestBase, unittest.TestCase):

[picnixz]

Ah indeed, but the problem was for the other API:

@unittest.skipIf(not hasattr(expat.XMLParserType,
                             "SetAllocTrackerMaximumAmplification"),
                 "requires Python compiled with Expat >= 2.7.2")

So I think the version check for billion laughs is also wrong and should be changed to the same as for SetAllocTrackerMaximumAmplification. But let's address this separately later in a follow-up PR (so as to ease backports)

[picnixz]

LGTM but I'd appreciate if @hartwork could have a quick glance just for wordings. I hope every backport has been merged properly (if we are matching against 3.15 then it should good). It's just that I remember that the work was split across multiple PRs...

[hartwork]

LGTM but I'd appreciate if @hartwork could have a quick glance just for wordings. I hope every backport has been merged properly (if we are matching against 3.15 then it should good). It's just that I remember that the work was split across multiple PRs...

@StanFromIreland I have just had a quick look through the lense of…

# diff -u1 <(git diff 666112376d574c7802646ee1df6244062671cd61{^,}) <(git diff upstream-readonly/3.14...StanFromIreland/backport-6661123-3.14) | ydiff 

…and I see:

• differences in @unittest.skipIf machinery
• differences in float style "100.0" versus int style "100" in documentation

Are these intended or accidental?

[picnixz]

differences in float style "100.0" versus int style "100" in documentation

I think I updated these at some points but I don't remember in which direction. I would say: pick the style that we currently have on main, it doesn't matter. I just don't want to have docs that are different across versions.

[hartwork]

@picnixz +1 from me for being in line with main 👍

[picnixz]

the else is the wrong here actually, it's SetBillionLaughsAttackProtectionActivationThreshold

[StanFromIreland]

It's the same on main:

cpython/Modules/pyexpat.c

Lines 2548 to 2554 in 9fdbade

	#if XML_COMBINED_VERSION >= 20400
	capi->SetBillionLaughsAttackProtectionActivationThreshold = XML_SetBillionLaughsAttackProtectionActivationThreshold;
	capi->SetBillionLaughsAttackProtectionMaximumAmplification = XML_SetBillionLaughsAttackProtectionMaximumAmplification;
	#else
	capi->SetAllocTrackerActivationThreshold = NULL;
	capi->SetAllocTrackerMaximumAmplification = NULL;
	#endif

[StanFromIreland]

I wrote #151147 for main/3.15, for here:

Suggested change

	capi->SetAllocTrackerActivationThreshold = NULL;
	capi->SetAllocTrackerMaximumAmplification = NULL;
	capi->SetBillionLaughsAttackProtectionActivationThreshold = NULL;
	capi->SetBillionLaughsAttackProtectionMaximumAmplification = NULL;

[picnixz]

Oh!

[picnixz]

Now I think we're good. If docs need to be amended we'll do it but C should be ok.

[StanFromIreland]

Fuzzer failures are unrelated (ast and plistlib).

[miss-islington-app]

Thanks @StanFromIreland for the PR 🌮🎉.. I'm working now to backport this PR to: 3.13.
🐍🍒⛏🤖

[miss-islington-app]

Sorry, @StanFromIreland, I could not cleanly backport this to 3.13 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker c078637e8642783d90b33c6b983fa15ff29c24d6 3.13

[bedevere-app]

GH-151151 is a backport of this pull request to the 3.13 branch.