Fix array bounds vulnerability in Fragment iteration methods #91

Closed

flowjzh wants to merge 1 commit from fragment_bounds into master

pull from: fragment_bounds

merge into: prosemirror:master

prosemirror:main

prosemirror:parse-rule-union

Conversation 1 Commits 1 Files changed 2 +15 -2

flowjzh commented 2025-08-16 14:55:12 +02:00 (Migrated from github.com)

Copy link

Fragment.nodesBetween() and Fragment.cut() both contain unsafe loop conditions that can cause out-of-bounds array access when the 'to' parameter exceeds the fragment's actual size. This is a defensive programming failure that violates the principle that interfaces should be safe against invalid input.

The fix adds proper bounds checking to prevent accessing this.content[i] when i >= this.content.length. This ensures the methods remain robust even when called with parameters that exceed the fragment bounds.

Added tests to verify the edge case behavior.

Fragment.nodesBetween() and Fragment.cut() both contain unsafe loop conditions that can cause out-of-bounds array access when the 'to' parameter exceeds the fragment's actual size. This is a defensive programming failure that violates the principle that interfaces should be safe against invalid input. The fix adds proper bounds checking to prevent accessing this.content[i] when i >= this.content.length. This ensures the methods remain robust even when called with parameters that exceed the fragment bounds. Added tests to verify the edge case behavior.

marijnh commented 2025-08-16 20:23:17 +02:00 (Migrated from github.com)

Copy link

Defensive programming, as the practice of silently checking and correcting invalid inputs, is not a principle this codebase subscribes to. I often consider breaking a better behavior than papering over issues in the code that's passing in the bogus parameters, since it'll help the programmer writing and testing that code realize that there is a problem. As such, I don't want to add additional loop termination tests to these methods (and the hundreds of other methods in the project that could be equipped with such checks).

Also, since this isn't a memory-unsafe language, 'vulnerability' is not the appropriate word here.

Defensive programming, as the practice of silently checking and correcting invalid inputs, is not a principle this codebase subscribes to. I often consider breaking a better behavior than papering over issues in the code that's passing in the bogus parameters, since it'll help the programmer writing and testing that code realize that there is a problem. As such, I don't want to add additional loop termination tests to these methods (and the hundreds of other methods in the project that could be equipped with such checks). Also, since this isn't a memory-unsafe language, 'vulnerability' is not the appropriate word here.

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

prosemirror/prosemirror-model!91

No description provided.