diff --git a/README.md b/README.md index 63cbcbf..b81b735 100644 --- a/README.md +++ b/README.md @@ -539,6 +539,14 @@ Please report a panic in this crate immediately as issue on [github](https://git Even if the crate itself is panic free, it allows the user to define custom functions that are executed by the crate. The user needs to ensure that the functions they provide to the crate never panic. +## Untrusted input + +This crate was not built with untrusted input in mind, but due to its simplicity and freedom of panics it is likely secure, keeping the following in mind: + * Limit the length of the untrusted input. + * If a mutable context is maintained between evaluations of untrusted input, the untrusted input might fill it gradually until the application runs out of memory. + * If no context is provided, a temporary mutable context is implicitly provided. This is freed after evaluation of every single string, so gradual filling cannot happen. + * If no context or a mutable context is provided, and the `regex_support` feature is activated, the `regex_replace` builtin function can be used to build an exponentially sized string. + ## Contribution If you have any ideas for features or see any problems in the code, architecture, interface, algorithmics or documentation, please open an issue on [github](https://github.com/ISibboI/evalexpr/issues). @@ -548,4 +556,4 @@ If there is already an issue describing what you want to say, please add a thumb * This crate uses the [`sync-readme`](https://github.com/phaazon/cargo-sync-readme) cargo subcommand to keep the documentation in `src/lib.rs` and `README.md` in sync. The subcommand only syncs from the documentation in `src/lib.rs` to `README.md`. - So please alter the documentation in the `src/lib.rs` rather than altering anything in between `` and `` in the `README.md`. \ No newline at end of file + So please alter the documentation in the `src/lib.rs` rather than altering anything in between `` and `` in the `README.md`.