summaryrefslogtreecommitdiff
path: root/tests/serializers/test_deserialization.py
AgeCommit message (Collapse)Author
2025-12-02[6.0.x] Fixed CVE-2025-64460 -- Corrected quadratic inner text accumulation ↵Shai Berger
in XML serializer. Previously, `getInnerText()` recursively used `list.extend()` on strings, which added each character from child nodes as a separate list element. On deeply nested XML content, this caused the overall deserialization work to grow quadratically with input size, potentially allowing disproportionate CPU consumption for crafted XML. The fix separates collection of inner texts from joining them, so that each subtree is joined only once, reducing the complexity to linear in the size of the input. These changes also include a mitigation for a xml.dom.minidom performance issue. Thanks Seokchan Yoon (https://ch4n3.kr/) for report. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 50efb718b31333051bc2dcb06911b8fa1358c98c from main.
2024-09-19Refs #29522 -- Fixed serializers/fixtures test crash if PyYAML isn't installed.Mariusz Felisiak
2024-09-17Fixed #29522 -- Refactored the Deserializer functions to classes.Amir Karimi
Co-authored-by: Emad Mokhtar <emad.mokhtar@veneficus.nl>