Add ability to set maximum array size to avoid potential man-in-the-middle or DOS attacks

for issue-#2

Author: joeybloggs

README.md

@@ -1,7 +1,7 @@
 Package form
 ============
 <img align="right" src="https://raw.githubusercontent.com/go-playground/form/master/logo.jpg">
-![Project status](https://img.shields.io/badge/version-1.4.0-green.svg)
+![Project status](https://img.shields.io/badge/version-1.5.0-green.svg)
 [![Build Status](https://semaphoreci.com/api/v1/joeybloggs/form/branches/master/badge.svg)](https://semaphoreci.com/joeybloggs/form)
 [![Coverage Status](https://coveralls.io/repos/github/go-playground/form/badge.svg?branch=master)](https://coveralls.io/github/go-playground/form?branch=master)
 [![Go Report Card](https://goreportcard.com/badge/github.com/go-playground/form)](https://goreportcard.com/report/github.com/go-playground/form)

decoder.go

@@ -10,6 +10,10 @@ import (
 	"time"
 )
 
+const (
+	errArraySize = "Array size of '%d' is larger than the maximum currently set on the decoder of '%d'. To increase this limit please see, SetMaxArraySize(size uint)"
+)
+
 type decoder struct {
 	d                   *Decoder
 	errs                DecodeErrors
@@ -293,22 +297,42 @@ func (d *decoder) setFieldByType(current reflect.Value, namespace string, idx in
 
 			d.parseMapData()
 
-			// maybe it's an numbered array i.e. Pnone[0].Number
+			// maybe it's an numbered array i.e. Phone[0].Number
 			if rd := d.dm[namespace]; rd != nil {
 
 				var varr reflect.Value
 
 				sl := rd.sliceLen + 1
 
+				// checking below for maxArraySize, but if array exists and already
+				// has sufficient capacity allocated then we do not check as the code
+				// obviously allows that capacity.
+
 				if v.IsNil() {
+
+					if sl > d.d.maxArraySize {
+						d.setError(namespace, fmt.Errorf(errArraySize, sl, d.d.maxArraySize))
+						return
+					}
+
 					varr = reflect.MakeSlice(v.Type(), sl, sl)
+
 				} else if v.Len() < sl {
+
 					if v.Cap() <= sl {
+
+						if sl > d.d.maxArraySize {
+							d.setError(namespace, fmt.Errorf(errArraySize, sl, d.d.maxArraySize))
+							return
+						}
+
 						varr = reflect.MakeSlice(v.Type(), sl, sl)
 					} else {
 						varr = reflect.MakeSlice(v.Type(), sl, v.Cap())
 					}
+
 					reflect.Copy(varr, v)
+
 				} else {
 					varr = v
 				}

decoder_test.go

@@ -651,40 +651,47 @@ func TestDecoderNativeTime(t *testing.T) {
 func TestDecoderErrors(t *testing.T) {
 
 	type TestError struct {
-		Bool           bool `form:"bool"`
-		Int            int
-		Uint           uint
-		Float32        float32
-		String         string
-		Time           time.Time
-		MapBadIntKey   map[int]int
-		MapBadUintKey  map[uint]uint
-		MapBadFloatKey map[float32]float32
-		MapBadBoolKey  map[bool]bool
-		MapBadKeyType  map[complex64]int
-		BadArrayValue  []int
-		BadMapKey      map[time.Time]string
+		Bool                  bool `form:"bool"`
+		Int                   int
+		Uint                  uint
+		Float32               float32
+		String                string
+		Time                  time.Time
+		MapBadIntKey          map[int]int
+		MapBadUintKey         map[uint]uint
+		MapBadFloatKey        map[float32]float32
+		MapBadBoolKey         map[bool]bool
+		MapBadKeyType         map[complex64]int
+		BadArrayValue         []int
+		BadMapKey             map[time.Time]string
+		OverflowNilArray      []int
+		OverFlowExistingArray []int
 	}
 
 	values := url.Values{
-		"bool":                  []string{"uh-huh"},
-		"Int":                   []string{"bad"},
-		"Uint":                  []string{"bad"},
-		"Float32":               []string{"bad"},
-		"String":                []string{"str bad return val"},
-		"Time":                  []string{"bad"},
-		"MapBadIntKey[key]":     []string{"1"},
-		"MapBadUintKey[key]":    []string{"1"},
-		"MapBadFloatKey[key]":   []string{"1.1"},
-		"MapBadBoolKey[uh-huh]": []string{"true"},
-		"MapBadKeyType[1.4]":    []string{"5"},
-		"BadArrayValue[0]":      []string{"badintval"},
-		"BadMapKey[badtime]":    []string{"badtime"},
+		"bool":                       []string{"uh-huh"},
+		"Int":                        []string{"bad"},
+		"Uint":                       []string{"bad"},
+		"Float32":                    []string{"bad"},
+		"String":                     []string{"str bad return val"},
+		"Time":                       []string{"bad"},
+		"MapBadIntKey[key]":          []string{"1"},
+		"MapBadUintKey[key]":         []string{"1"},
+		"MapBadFloatKey[key]":        []string{"1.1"},
+		"MapBadBoolKey[uh-huh]":      []string{"true"},
+		"MapBadKeyType[1.4]":         []string{"5"},
+		"BadArrayValue[0]":           []string{"badintval"},
+		"BadMapKey[badtime]":         []string{"badtime"},
+		"OverflowNilArray[999]":      []string{"idx 1000"},
+		"OverFlowExistingArray[999]": []string{"idx 1000"},
 	}
 
-	var test TestError
+	test := TestError{
+		OverFlowExistingArray: make([]int, 2, 2),
+	}
 
 	decoder := NewDecoder()
+	decoder.SetMaxArraySize(4)
 	decoder.RegisterCustomTypeFunc(func(vals []string) (interface{}, error) {
 		return nil, errors.New("Bad Type Conversion")
 	}, "")
@@ -696,6 +703,8 @@ func TestDecoderErrors(t *testing.T) {
 	NotEqual(t, e, "")
 
 	err := errs.(DecodeErrors)
+	Equal(t, len(err), 15)
+
 	k := err["bool"]
 	Equal(t, k.Error(), "Invalid Boolean Value 'uh-huh' Type 'bool' Namespace 'bool'")
 
@@ -732,6 +741,12 @@ func TestDecoderErrors(t *testing.T) {
 	k = err["BadArrayValue[0]"]
 	Equal(t, k.Error(), "Invalid Integer Value 'badintval' Type 'int' Namespace 'BadArrayValue[0]'")
 
+	k = err["OverflowNilArray"]
+	Equal(t, k.Error(), "Array size of '1000' is larger than the maximum currently set on the decoder of '4'. To increase this limit please see, SetMaxArraySize(size uint)")
+
+	k = err["OverFlowExistingArray"]
+	Equal(t, k.Error(), "Array size of '1000' is larger than the maximum currently set on the decoder of '4'. To increase this limit please see, SetMaxArraySize(size uint)")
+
 	type TestError2 struct {
 		BadMapKey map[time.Time]string
 	}

form_decoder.go

@@ -50,13 +50,15 @@ type Decoder struct {
 	tagName         string
 	structCache     structCacheMap
 	customTypeFuncs map[reflect.Type]DecodeCustomTypeFunc
+	maxArraySize    int
 }
 
 // NewDecoder creates a new decoder instance with sane defaults
 func NewDecoder() *Decoder {
 	return &Decoder{
-		tagName:     "form",
-		structCache: structCacheMap{m: map[reflect.Type]cachedStruct{}},
+		tagName:      "form",
+		structCache:  structCacheMap{m: map[reflect.Type]cachedStruct{}},
+		maxArraySize: 10000,
 	}
 }
 
@@ -66,6 +68,15 @@ func (d *Decoder) SetTagName(tagName string) {
 	d.tagName = tagName
 }
 
+// SetMaxArraySize sets maximum array size that can be created.
+// This limit is for the array indexing this library supports to
+// avoid potential DOS or man-in-the-middle attacks using an unusually
+// high number.
+// DEFAULT: 10000
+func (d *Decoder) SetMaxArraySize(size uint) {
+	d.maxArraySize = int(size)
+}
+
 // RegisterCustomTypeFunc registers a CustomTypeFunc against a number of types
 // NOTE: this method is not thread-safe it is intended that these all be registered prior to any parsing
 func (d *Decoder) RegisterCustomTypeFunc(fn DecodeCustomTypeFunc, types ...interface{}) {