Quadratic output size explosion with tables extension

[mity]

With table extension, one may get awfully long output with input generated by this python one-liner:

$ python -c 'N=100; print("x|" * N + "\n" + "-|" * N + "\n" + "x\n" * N)' | pulldown-cmark -T

The output size grows roughly as square of the input size. With N=10000 you still have an input of decent size (~70kB), but the corresponding output is roughly ~900MB (10000 * 10000 * strlen("<td></td>")), so it's potentially usable as DoS attack vector.

(In MD4C I solved this by limiting column count of tables to 128. Anything bigger is refused to be recognized as a table. Probably the only alternative would be to stop emitting empty table cells if they're missing in the input, breaking compatibility with GFM.)

[Martin1887]

Interesting, thanks for your report. 128 columns seems to me a low limit, and breaking compatibility with GFM is even worse. Maybe a limit of 512 or 1024 columns although also arbitrary could be more sane.

A tradeoff solution would be adding a parameter for the maximum of columns, with a sane default value (in this case 128 could be good).

[mity]

1024 seems too big to me.

Essentially the table extension (when disregarding the header) allows every line of 2 bytes (a character + \n) be translated to max_columns * strlen("<td></td>"). I.e limit of 1024 columns still means every 2 bytes of input can get translated to 9kB of output.

[mity]

Actually, thinking about it, perhaps one might use something smarter to deal with such pathological input: Tracking cell density. The implementation might count how many implicit missing empty cells it would have to emit, and if it would be too large share of all cells, then refuse to do that.

I.e. genuinely large tables (where output size would roughly correspond to what user wants) would still be ok.

[Martin1887]

But I think that solution does not solve the issue against malicious actors, right? Anyone wanting to produce a DoS could generate big tables with random or lorem-ipsum columns contents to achieve it.

I think a reasonable default and a parameter to increase or decrease it according to the needs of the implementer would be a good solution.

[mity]

Yes and no. Protection against huge input is what any application must sort of count with always, and indeed the app can fully and easily control whether it will or won't pass huge input to markdown parser. Furthermore anyone to try such an attack would consume also attacker's own resources (e.g. connectivity).

The main issue here is that it's quite natural to assume that Markdown parser produces output which is in some reasonable way proportional in size to the input size, and with the input pattern presented in this issue such assumption is completely invalid.

[Martin1887]

Good point, but I think the size of the columns could be also low and still overcoming the ratio rule to create a DoS attack with e.g. 200 kB input file and 1 GB output file, right?

In addition, such types of ratio checks could also produce false positives if they are not very careful.

[mity]

I don't think so. The issue here comes from the steepness of quadratic function for large N. E.g. for N=1000, the table has million cells, but only 1000 are explicitly present in the input, i.e. density of explicitly given cells is as low as 0.1%.

So even at first glance very low threshold (say e.g. 5%) should be good enough to make the proportionality of output size to input about linear.

Furthermore such treatment could be applied only to suspiciously large tables (e.g. something like column_count * row_count > 10000).

[Martin1887]

I see, the combined check with more than 1000 columns would work. The disadvantage of that approach is the ratio must be recomputed at each row, because the first rows could have content and the below ones be empty, but it can be done only on those big tables.

[notriddle]

cmark-gfm is designed to protect against DoS inputs, and they seem to specifically track the number of "autocompleted" cells and limit them.

[Martin1887]

It seems a similar solution to the density one proposed by @mity, but I think it can be done only in tables of more than 1000 columns.