fix: Add SQL output length limits to prevent DoS (fixes #33) (#69)

richardwooding · claude · web-flow · commit cfb6d8148376 · 2025-10-24T13:52:43.000+02:00
This commit addresses issue #33 by implementing SQL output length limits to prevent Denial of Service attacks through resource exhaustion. ## Changes ### Core Implementation (cel2sql.go) - Added `defaultMaxSQLOutputLength = 50000` constant - Added `maxOutputLen` field to `convertOptions` and `converter` structs - Created `WithMaxOutputLength()` functional option for custom limits - Implemented output length check in `visit()` method - Both `Convert()` and `ConvertParameterized()` now respect the limit ### Tests (output_length_test.go) - Comprehensive test coverage for all scenarios: - Default and custom output length limits - Combination with other options (context, schemas, logger, maxDepth) - Error message validation - Counter reset between calls - Large arrays, string concatenations, comprehensions - Parameterized query support ### Documentation - Updated CLAUDE.md with new "Resource Exhaustion Protection" section - Updated README.md security features to include SQL output length limits - Added examples for using `WithMaxOutputLength()` ## Security Impact - Prevents DoS attacks via extremely large SQL output - Addresses CWE-400 (Uncontrolled Resource Consumption) - Default limit: 50,000 characters (configurable) - Works seamlessly with existing security features ## Testing - All tests pass (make test) - Code passes linting (make lint) - Coverage maintained at 90%+ 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -386,6 +386,50 @@ field.matches(r"(((((((((((a"))    // Excessive nesting
 - CPU exhaustion from complex patterns
 - Service disruption from malicious regex
 
+#### Resource Exhaustion Protection
+
+cel2sql includes multiple layers of protection against resource exhaustion attacks (CWE-400):
+
+**Recursion Depth Limits:**
+- **Default limit**: 100 levels of expression nesting
+- **Configurable**: Use `WithMaxDepth()` to adjust
+- **Protection**: Prevents stack overflow from deeply nested expressions (CWE-674)
+
+**SQL Output Length Limits:**
+- **Default limit**: 50,000 characters of generated SQL
+- **Configurable**: Use `WithMaxOutputLength()` to adjust
+- **Protection**: Prevents memory exhaustion from extremely large SQL queries
+
+**Comprehension Depth Limits:**
+- **Fixed limit**: 3 levels of nested comprehensions
+- **Protection**: Prevents resource exhaustion from deeply nested UNNEST/subquery operations
+
+**Examples:**
+```go
+// Use default limits (recommended)
+sql, err := cel2sql.Convert(ast)
+
+// Custom recursion depth limit
+sql, err := cel2sql.Convert(ast,
+    cel2sql.WithMaxDepth(150))
+
+// Custom SQL output length limit
+sql, err := cel2sql.Convert(ast,
+    cel2sql.WithMaxOutputLength(100000))
+
+// Combine multiple limits
+sql, err := cel2sql.Convert(ast,
+    cel2sql.WithMaxDepth(75),
+    cel2sql.WithMaxOutputLength(25000),
+    cel2sql.WithContext(ctx))
+```
+
+**Protection Against:**
+- Stack overflow from deeply nested expressions
+- Memory exhaustion from extremely large SQL output
+- CPU/memory exhaustion from deeply nested comprehensions
+- DoS attacks via resource consumption
+
 #### Context Timeouts
 
 Use context timeouts as defense-in-depth:
diff --git a/README.md b/README.md
@@ -75,6 +75,7 @@ cel2sql includes comprehensive security protections:
 - 🔒 **JSON Field Escaping** - Automatic quote escaping in JSON paths
 - 🚫 **ReDoS Protection** - Validates regex patterns to prevent catastrophic backtracking
 - 🔄 **Recursion Depth Limits** - Prevents stack overflow from deeply nested expressions (default: 100)
+- 📏 **SQL Output Length Limits** - Prevents memory exhaustion from extremely large SQL queries (default: 50,000 chars)
 - ⏱️ **Context Timeouts** - Optional timeout protection for complex expressions
 
 All security features are enabled by default with zero configuration required.
diff --git a/cel2sql.go b/cel2sql.go
@@ -43,17 +43,22 @@ const (
 	// maxComprehensionDepth is the maximum nesting depth for CEL comprehensions
 	// to prevent resource exhaustion from deeply nested UNNEST/subquery operations (CWE-400).
 	maxComprehensionDepth = 3
+
+	// defaultMaxSQLOutputLength is the default maximum length of generated SQL output
+	// to prevent resource exhaustion from extremely large SQL queries (CWE-400).
+	defaultMaxSQLOutputLength = 50000
 )
 
 // ConvertOption is a functional option for configuring the Convert function.
 type ConvertOption func(*convertOptions)
 
 // convertOptions holds configuration options for the Convert function.
 type convertOptions struct {
-	schemas  map[string]pg.Schema
-	ctx      context.Context
-	logger   *slog.Logger
-	maxDepth int // Maximum recursion depth (0 = use default)
+	schemas       map[string]pg.Schema
+	ctx           context.Context
+	logger        *slog.Logger
+	maxDepth      int // Maximum recursion depth (0 = use default)
+	maxOutputLen  int // Maximum SQL output length (0 = use default)
 }
 
 // WithSchemas provides schema information for proper JSON/JSONB field handling.
@@ -137,6 +142,26 @@ func WithMaxDepth(maxDepth int) ConvertOption {
 	}
 }
 
+// WithMaxOutputLength sets the maximum length of generated SQL output.
+// If not provided, defaultMaxSQLOutputLength (50000) is used.
+// This protects against resource exhaustion from extremely large SQL queries (CWE-400).
+//
+// Example with custom output length limit:
+//
+//	sql, err := cel2sql.Convert(ast, cel2sql.WithMaxOutputLength(100000))
+//
+// Example with multiple options:
+//
+//	sql, err := cel2sql.Convert(ast,
+//	    cel2sql.WithMaxOutputLength(25000),
+//	    cel2sql.WithMaxDepth(50),
+//	    cel2sql.WithContext(ctx))
+func WithMaxOutputLength(maxLength int) ConvertOption {
+	return func(o *convertOptions) {
+		o.maxOutputLen = maxLength
+	}
+}
+
 // Result represents the output of a CEL to SQL conversion with parameterized queries.
 // It contains the SQL string with placeholders ($1, $2, etc.) and the corresponding parameter values.
 type Result struct {
@@ -158,8 +183,9 @@ func Convert(ast *cel.Ast, opts ...ConvertOption) (string, error) {
 	start := time.Now()
 
 	options := &convertOptions{
-		logger:   slog.New(slog.DiscardHandler), // Default: no-op logger with zero overhead
-		maxDepth: defaultMaxRecursionDepth,      // Default: 100 recursion depth limit
+		logger:       slog.New(slog.DiscardHandler), // Default: no-op logger with zero overhead
+		maxDepth:     defaultMaxRecursionDepth,      // Default: 100 recursion depth limit
+		maxOutputLen: defaultMaxSQLOutputLength,     // Default: 50000 character output limit
 	}
 	for _, opt := range opts {
 		opt(options)
@@ -174,11 +200,12 @@ func Convert(ast *cel.Ast, opts ...ConvertOption) (string, error) {
 	}
 
 	un := &converter{
-		typeMap:  checkedExpr.TypeMap,
-		schemas:  options.schemas,
-		ctx:      options.ctx,
-		logger:   options.logger,
-		maxDepth: options.maxDepth,
+		typeMap:       checkedExpr.TypeMap,
+		schemas:       options.schemas,
+		ctx:           options.ctx,
+		logger:        options.logger,
+		maxDepth:      options.maxDepth,
+		maxOutputLen:  options.maxOutputLen,
 	}
 
 	if err := un.visit(checkedExpr.Expr); err != nil {
@@ -225,8 +252,9 @@ func ConvertParameterized(ast *cel.Ast, opts ...ConvertOption) (*Result, error)
 	start := time.Now()
 
 	options := &convertOptions{
-		logger:   slog.New(slog.DiscardHandler), // Default: no-op logger with zero overhead
-		maxDepth: defaultMaxRecursionDepth,      // Default: 100 recursion depth limit
+		logger:       slog.New(slog.DiscardHandler), // Default: no-op logger with zero overhead
+		maxDepth:     defaultMaxRecursionDepth,      // Default: 100 recursion depth limit
+		maxOutputLen: defaultMaxSQLOutputLength,     // Default: 50000 character output limit
 	}
 	for _, opt := range opts {
 		opt(options)
@@ -241,12 +269,13 @@ func ConvertParameterized(ast *cel.Ast, opts ...ConvertOption) (*Result, error)
 	}
 
 	un := &converter{
-		typeMap:      checkedExpr.TypeMap,
-		schemas:      options.schemas,
-		ctx:          options.ctx,
-		logger:       options.logger,
-		maxDepth:     options.maxDepth,
-		parameterize: true, // Enable parameterization
+		typeMap:       checkedExpr.TypeMap,
+		schemas:       options.schemas,
+		ctx:           options.ctx,
+		logger:        options.logger,
+		maxDepth:      options.maxDepth,
+		maxOutputLen:  options.maxOutputLen,
+		parameterize:  true, // Enable parameterization
 	}
 
 	if err := un.visit(checkedExpr.Expr); err != nil {
@@ -278,6 +307,7 @@ type converter struct {
 	logger              *slog.Logger
 	depth               int           // Current recursion depth
 	maxDepth            int           // Maximum allowed recursion depth
+	maxOutputLen        int           // Maximum allowed SQL output length
 	comprehensionDepth  int           // Current comprehension nesting depth
 	parameterize        bool          // Enable parameterized output
 	parameters          []interface{} // Collected parameters for parameterized queries
@@ -313,6 +343,11 @@ func (con *converter) visit(expr *exprpb.Expr) error {
 		return err
 	}
 
+	// Check SQL output length limit to prevent resource exhaustion (CWE-400)
+	if con.str.Len() > con.maxOutputLen {
+		return fmt.Errorf("generated SQL exceeds maximum output length of %d", con.maxOutputLen)
+	}
+
 	switch expr.ExprKind.(type) {
 	case *exprpb.Expr_CallExpr:
 		return con.visitCall(expr)
diff --git a/output_length_test.go b/output_length_test.go
