Update README.md

Add information about untrusted input.
This commit is contained in:
ISibboI 2022-01-18 13:41:21 +01:00 committed by GitHub
parent b5c85b367f
commit 53f2b6979b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -539,6 +539,14 @@ Please report a panic in this crate immediately as issue on [github](https://git
Even if the crate itself is panic free, it allows the user to define custom functions that are executed by the crate. Even if the crate itself is panic free, it allows the user to define custom functions that are executed by the crate.
The user needs to ensure that the functions they provide to the crate never panic. The user needs to ensure that the functions they provide to the crate never panic.
## Untrusted input
This crate was not built with untrusted input in mind, but due to its simplicity and freedom of panics it is likely secure, keeping the following in mind:
* Limit the length of the untrusted input.
* If a mutable context is maintained between evaluations of untrusted input, the untrusted input might fill it gradually until the application runs out of memory.
* If no context is provided, a temporary mutable context is implicitly provided. This is freed after evaluation of every single string, so gradual filling cannot happen.
* If no context or a mutable context is provided, and the `regex_support` feature is activated, the `regex_replace` builtin function can be used to build an exponentially sized string.
## Contribution ## Contribution
If you have any ideas for features or see any problems in the code, architecture, interface, algorithmics or documentation, please open an issue on [github](https://github.com/ISibboI/evalexpr/issues). If you have any ideas for features or see any problems in the code, architecture, interface, algorithmics or documentation, please open an issue on [github](https://github.com/ISibboI/evalexpr/issues).