From 473567f9f57d5a2802a10f6383268ae2f32f2fa0 Mon Sep 17 00:00:00 2001 From: Maxim Avanov <601955+avanov@users.noreply.github.com> Date: Sat, 11 May 2024 01:23:16 +0100 Subject: [PATCH 1/2] Prevent HashDOS --- http-api-data.cabal | 3 +-- src/Web/Internal/FormUrlEncoded.hs | 27 +++++++++---------------- src/Web/Internal/HttpApiData.hs | 3 +-- test/Web/Internal/FormUrlEncodedSpec.hs | 10 ++++----- test/Web/Internal/TestInstances.hs | 5 ++--- 5 files changed, 18 insertions(+), 30 deletions(-) diff --git a/http-api-data.cabal b/http-api-data.cabal index 7b32b8f..97ee47d 100644 --- a/http-api-data.cabal +++ b/http-api-data.cabal @@ -58,7 +58,6 @@ library , text-iso8601 >= 0.1 && < 0.2 , tagged >= 0.8.5 && < 0.9 , time-compat >= 1.9.5 && < 1.10 - , unordered-containers >= 0.2.10.0 && < 0.3 , uuid-types >= 1.0.3 && < 1.1 if flag(use-text-show) @@ -92,7 +91,7 @@ test-suite spec , http-api-data , text , time-compat - , unordered-containers + , containers , uuid-types build-depends: HUnit >= 1.6.0.0 && <1.7 diff --git a/src/Web/Internal/FormUrlEncoded.hs b/src/Web/Internal/FormUrlEncoded.hs index 08d125a..51c348f 100644 --- a/src/Web/Internal/FormUrlEncoded.hs +++ b/src/Web/Internal/FormUrlEncoded.hs @@ -25,14 +25,11 @@ import Data.Coerce (coerce) import qualified Data.Foldable as F import Data.Functor.Identity (Identity(Identity)) import Data.Hashable (Hashable) -import Data.HashMap.Strict (HashMap) -import qualified Data.HashMap.Strict as HashMap +import qualified Data.Map.Strict as Map import Data.Int (Int16, Int32, Int64, Int8) import Data.IntMap (IntMap) import qualified Data.IntMap as IntMap import Data.List (intersperse, sortBy) -import Data.Map (Map) -import qualified Data.Map as Map import Data.Monoid (All (..), Any (..), Dual (..), Product (..), Sum (..)) import Data.Ord (comparing) @@ -205,7 +202,7 @@ instance FromFormKey Natural where parseFormKey = parseQueryParam -- | The contents of a form, not yet URL-encoded. -- -- 'Form' can be URL-encoded with 'urlEncodeForm' and URL-decoded with 'urlDecodeForm'. -newtype Form = Form { unForm :: HashMap Text [Text] } +newtype Form = Form { unForm :: Map.Map Text [Text] } deriving (Eq, Read, Generic, Semigroup, Monoid) instance Show Form where @@ -216,8 +213,8 @@ instance Show Form where -- For a stable conversion use 'toListStable'. instance IsList Form where type Item Form = (Text, Text) - fromList = Form . HashMap.fromListWith (flip (<>)) . fmap (\(k, v) -> (k, [v])) - toList = concatMap (\(k, vs) -> map ((,) k) vs) . HashMap.toList . unForm + fromList = Form . Map.fromListWith (flip (<>)) . fmap (\(k, v) -> (k, [v])) + toList = concatMap (\(k, vs) -> map ((,) k) vs) . Map.toList . unForm -- | A stable version of 'toList'. toListStable :: Form -> [(Text, Text)] @@ -270,12 +267,9 @@ instance ToForm Form where toForm = id instance (ToFormKey k, ToHttpApiData v) => ToForm [(k, v)] where toForm = fromList . map (toFormKey *** toQueryParam) -instance (ToFormKey k, ToHttpApiData v) => ToForm (Map k [v]) where +instance (ToFormKey k, ToHttpApiData v) => ToForm (Map.Map k [v]) where toForm = fromEntriesByKey . Map.toList -instance (ToFormKey k, ToHttpApiData v) => ToForm (HashMap k [v]) where - toForm = fromEntriesByKey . HashMap.toList - instance ToHttpApiData v => ToForm (IntMap [v]) where toForm = fromEntriesByKey . IntMap.toList @@ -284,7 +278,7 @@ instance ToHttpApiData v => ToForm (IntMap [v]) where -- >>> fromEntriesByKey [("name",["Nick"]),("color",["red","blue"])] -- fromList [("color","red"),("color","blue"),("name","Nick")] fromEntriesByKey :: (ToFormKey k, ToHttpApiData v) => [(k, [v])] -> Form -fromEntriesByKey = Form . HashMap.fromListWith (<>) . map (toFormKey *** map toQueryParam) +fromEntriesByKey = Form . Map.fromListWith (<>) . map (toFormKey *** map toQueryParam) data Proxy3 a b c = Proxy3 @@ -417,12 +411,9 @@ instance FromForm Form where fromForm = pure instance (FromFormKey k, FromHttpApiData v) => FromForm [(k, v)] where fromForm = fmap (concatMap (\(k, vs) -> map ((,) k) vs)) . toEntriesByKey -instance (Ord k, FromFormKey k, FromHttpApiData v) => FromForm (Map k [v]) where +instance (Ord k, Eq k, Hashable k, FromFormKey k, FromHttpApiData v) => FromForm (Map.Map k [v]) where fromForm = fmap (Map.fromListWith (<>)) . toEntriesByKey -instance (Eq k, Hashable k, FromFormKey k, FromHttpApiData v) => FromForm (HashMap k [v]) where - fromForm = fmap (HashMap.fromListWith (<>)) . toEntriesByKey - instance FromHttpApiData v => FromForm (IntMap [v]) where fromForm = fmap (IntMap.fromListWith (<>)) . toEntriesByKey @@ -431,7 +422,7 @@ instance FromHttpApiData v => FromForm (IntMap [v]) where -- _NOTE:_ this conversion is unstable and may result in different key order -- (but not values). For a stable encoding see 'toEntriesByKeyStable'. toEntriesByKey :: (FromFormKey k, FromHttpApiData v) => Form -> Either Text [(k, [v])] -toEntriesByKey = traverse parseGroup . HashMap.toList . unForm +toEntriesByKey = traverse parseGroup . Map.toList . unForm where parseGroup (k, vs) = (,) <$> parseFormKey k <*> traverse parseQueryParam vs @@ -658,7 +649,7 @@ urlEncodeAsFormStable = urlEncodeFormStable . toForm -- >>> lookupAll "name" [("name", "Oleg"), ("name", "David")] -- ["Oleg","David"] lookupAll :: Text -> Form -> [Text] -lookupAll key = F.concat . HashMap.lookup key . unForm +lookupAll key = F.concat . Map.lookup key . unForm -- | Lookup an optional value for a key. -- Fail if there is more than one value. diff --git a/src/Web/Internal/HttpApiData.hs b/src/Web/Internal/HttpApiData.hs index 49647ea..8b6531b 100644 --- a/src/Web/Internal/HttpApiData.hs +++ b/src/Web/Internal/HttpApiData.hs @@ -28,11 +28,10 @@ import qualified Data.Fixed as F import Data.Functor.Identity (Identity(Identity)) import Data.Int (Int16, Int32, Int64, Int8) import Data.Kind (Type) -import qualified Data.Map as Map +import qualified Data.Map.Strict as Map import Data.Monoid (All (..), Any (..), Dual (..), First (..), Last (..), Product (..), Sum (..)) -import Data.Semigroup (Semigroup (..)) import qualified Data.Semigroup as Semi import Data.Tagged (Tagged (..)) import Data.Text (Text) diff --git a/test/Web/Internal/FormUrlEncodedSpec.hs b/test/Web/Internal/FormUrlEncodedSpec.hs index 1d7b4b9..20e031c 100644 --- a/test/Web/Internal/FormUrlEncodedSpec.hs +++ b/test/Web/Internal/FormUrlEncodedSpec.hs @@ -4,7 +4,7 @@ module Web.Internal.FormUrlEncodedSpec (spec) where import Control.Monad ((<=<)) import qualified Data.ByteString.Lazy.Char8 as BSL -import qualified Data.HashMap.Strict as HashMap +import qualified Data.Map.Strict as Map import Data.Text (Text, unpack) import Test.Hspec import Test.QuickCheck @@ -27,13 +27,13 @@ genericSpec = describe "Default (generic) instances" $ do it "contains the record names" $ property $ \(x :: SimpleRec) -> do let f = unForm $ toForm x - HashMap.member "rec1" f `shouldBe` True - HashMap.member "rec2" f `shouldBe` True + Map.member "rec1" f `shouldBe` True + Map.member "rec2" f `shouldBe` True it "contains the correct record values" $ property $ \(x :: SimpleRec) -> do let f = unForm $ toForm x - HashMap.lookup "rec1" f `shouldBe` Just [rec1 x] - (parseQueryParams <$> HashMap.lookup "rec2" f) `shouldBe` Just (Right [rec2 x]) + Map.lookup "rec1" f `shouldBe` Just [rec1 x] + (parseQueryParams <$> Map.lookup "rec2" f) `shouldBe` Just (Right [rec2 x]) context "FromForm" $ do diff --git a/test/Web/Internal/TestInstances.hs b/test/Web/Internal/TestInstances.hs index e8fce5e..17302c3 100644 --- a/test/Web/Internal/TestInstances.hs +++ b/test/Web/Internal/TestInstances.hs @@ -8,9 +8,8 @@ module Web.Internal.TestInstances , NoEmptyKeyForm(..) ) where -import Control.Applicative import Data.Char -import qualified Data.HashMap.Strict as HashMap +import qualified Data.Map.Strict as Map import qualified Data.Text as T import Data.Time.Compat import GHC.Exts (fromList) @@ -63,4 +62,4 @@ newtype NoEmptyKeyForm = instance Arbitrary NoEmptyKeyForm where arbitrary = NoEmptyKeyForm . removeEmptyKeys <$> arbitrary where - removeEmptyKeys (Form m) = Form (HashMap.delete "" m) + removeEmptyKeys (Form m) = Form (Map.delete "" m) From f64267553802a535ca15b90970f417ef526fcacc Mon Sep 17 00:00:00 2001 From: Maxim Avanov <601955+avanov@users.noreply.github.com> Date: Sun, 12 May 2024 20:43:40 +0100 Subject: [PATCH 2/2] revert removed applicative import --- test/Web/Internal/TestInstances.hs | 1 + 1 file changed, 1 insertion(+) diff --git a/test/Web/Internal/TestInstances.hs b/test/Web/Internal/TestInstances.hs index 17302c3..a0d184c 100644 --- a/test/Web/Internal/TestInstances.hs +++ b/test/Web/Internal/TestInstances.hs @@ -8,6 +8,7 @@ module Web.Internal.TestInstances , NoEmptyKeyForm(..) ) where +import Control.Applicative -- for ghc < 9.6 import Data.Char import qualified Data.Map.Strict as Map import qualified Data.Text as T