Skip to content

json: Limit how deeply nested arrays and objects can be #5244

json: Limit how deeply nested arrays and objects can be

json: Limit how deeply nested arrays and objects can be #5244

Workflow file for this run

on:
pull_request:
workflow_dispatch:
name: ci
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read
jobs:
linux-ci:
name: linux-${{ matrix.name }}
runs-on: ${{ matrix.os }}
timeout-minutes: 30
strategy:
fail-fast: false
matrix:
include:
- name: gcc-14
os: ubuntu-24.04
compiler: gcc
version: 14
bazel: -c dbg --test_timeout=120 --run_under="valgrind --leak-check=full --errors-for-leak-kinds=all --error-exitcode=1 --track-origins=yes --show-leak-kinds=all --num-callers=32" --test_tag_filters=-no-valgrind
apt: valgrind
- name: clang-18-tsan
os: ubuntu-24.04
compiler: clang
version: 18
bazel: -c dbg --config tsan --test_env=TSAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer-18 --config libfuzzer
apt: libclang-rt-18-dev llvm-18
fuzz: true
- name: clang-18-asan-ubsan
os: ubuntu-24.04
compiler: clang
version: 18
bazel: -c dbg --config asan --config ubsan --test_env=ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer-18 --config libfuzzer
apt: libclang-rt-18-dev llvm-18
fuzz: true
- name: clang-17-libc++
os: ubuntu-24.04
compiler: clang
version: 17
bazel: --config libc++
apt: libc++abi-17-dev libc++-17-dev libclang-rt-17-dev
- name: clang-18-libc++
os: ubuntu-24.04
compiler: clang
version: 18
bazel: --config libc++
apt: libc++abi-18-dev libc++-18-dev libclang-rt-18-dev
steps:
- name: Setup gcc
if: startsWith(matrix.compiler, 'gcc')
run: |
echo "CC=gcc-${{ matrix.version }}" >> $GITHUB_ENV
echo "CXX=g++-${{ matrix.version }}" >> $GITHUB_ENV
- name: Setup clang
if: startsWith(matrix.compiler, 'clang')
run: |
echo "CC=clang-${{ matrix.version }}" >> $GITHUB_ENV
echo "CXX=clang++-${{ matrix.version }}" >> $GITHUB_ENV
- uses: actions/checkout@v4
- name: Install
run: |
sudo apt-get update
sudo apt-get install --no-install-recommends ${{ matrix.compiler }}-${{ matrix.version }} ${{ matrix.apt }} libx11-dev libxi-dev
- uses: actions/cache@v4
with:
path: ~/.cache/bazel
key: ${{ matrix.name }}-${{ hashFiles('.bazelversion', 'MODULE.bazel', 'third_party/**') }}
- run: echo "build --config=buildbuddy-cache-upload --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_API_KEY}" >.bazelrc.local
env:
BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
- name: Test
run: bazel test //... ${{ matrix.bazel }}
- name: Run
run: |
echo "<html><body><h1>Example</h1><p>This is an example page.</p></body></html>" >example.html
bazel run browser:tui file://$(pwd)/example.html ${{ matrix.bazel }}
- name: Fuzz test
if: ${{ matrix.fuzz }}
run: |
./bzl/run_fuzz_tests ... \
${{ matrix.bazel }} \
-- --timeout_secs=10
coverage:
name: linux-${{ matrix.compiler }}-${{ matrix.version }}-coverage
runs-on: ubuntu-24.04
timeout-minutes: 30
strategy:
fail-fast: false
matrix:
include:
- compiler: gcc
version: 13
- compiler: clang
version: 19
bazel: --config=clang19-coverage
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/cache@v4
with:
path: ~/.cache/bazel
key: coverage-${{ matrix.compiler }}-${{ matrix.version }}-${{ hashFiles('.bazelversion', 'MODULE.bazel', 'third_party/**') }}
- name: Setup (gcc)
if: startsWith(matrix.compiler, 'gcc')
run: |
sudo apt-get update
sudo apt-get install --no-install-recommends lcov gcc-${{ matrix.version }} g++-${{ matrix.version }}
echo "CC=gcc-${{ matrix.version }}" >> $GITHUB_ENV
echo "CXX=g++-${{ matrix.version }}" >> $GITHUB_ENV
echo "GCOV=gcov-${{ matrix.version }}" >> $GITHUB_ENV
- name: Setup (clang)
if: startsWith(matrix.compiler, 'clang')
run: |
wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add -
sudo apt-add-repository "deb http://apt.llvm.org/noble/ llvm-toolchain-noble-19 main"
sudo apt-get update
sudo apt-get install --no-install-recommends lcov clang-${{ matrix.version }} libclang-rt-${{ matrix.version }}-dev llvm-${{ matrix.version }}
echo "CC=clang-19" >> $GITHUB_ENV
echo "CXX=clang++-19" >> $GITHUB_ENV
- run: sudo apt-get install libx11-dev libxi-dev
- run: echo "build --config=buildbuddy-cache-upload --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_API_KEY}" >.bazelrc.local
env:
BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
- name: Coverage
run: bazel coverage ... ${{ matrix.bazel }}
# clang 19 coverage has a lot of problems w/ boringssl:
# lcov: ERROR: "external/boringssl/crypto/conf/internal.h":30: function conf.c:lh_CONF_VALUE_insert found on line but no corresponding 'line' coverage data point. Cannot derive function end line.
- run: lcov --ignore-errors inconsistent --summary bazel-out/_coverage/_coverage_report.dat
- name: Upload
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
# TODO(robinlinden): codecov-cli 0.7.x breaks PRs from forks w/
# "Error: Codecov token not found. Please provide Codecov token with -t flag."
# whereas in 0.6.0, it still correctly detects PRs where tokenless
# uploads are required:
# "info - 2024-06-21 21:24:10,269 -- The PR is happening in a forked
# repo. Using tokenless upload."
run: |
pipx install codecov-cli==0.6.0
codecovcli upload-process --fail-on-error --file bazel-out/_coverage/_coverage_report.dat
linux-aarch64-muslc:
runs-on: ubuntu-24.04
timeout-minutes: 30
steps:
- uses: actions/checkout@v4
- uses: actions/cache@v4
with:
path: ~/.cache/bazel
key: aarch64_linux_muslc-${{ hashFiles('.bazelversion', 'MODULE.bazel', 'third_party/**') }}
- run: sudo apt-get update && sudo apt-get install -y --no-install-recommends qemu-user-static binfmt-support
- run: sudo update-binfmts --enable qemu-aarch64
- run: echo "build --config=linux-aarch64-musl" >.bazelrc.local
- run: echo "build --config=buildbuddy-cache-upload --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_API_KEY}" >>.bazelrc.local
env:
BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
- run: bazel test ...
- name: Run tui
run: |
echo "<html><body><h1>Example</h1><p>This is an example page.</p></body></html>" >example.html
bazel run browser:tui file://$(pwd)/example.html
# https://github.com/bytecodealliance/wasmtime
wasi-wasm:
runs-on: ubuntu-24.04
timeout-minutes: 30
env:
WASMTIME_VERSION: v28.0.1
WASMTIME_NAME: wasmtime-v28.0.1-x86_64-linux
steps:
- uses: actions/checkout@v4
- name: Set up wasmtime
run: |
wget --no-verbose --output-document=wasmtime.tar.xz https://github.com/bytecodealliance/wasmtime/releases/download/${WASMTIME_VERSION}/${WASMTIME_NAME}.tar.xz
tar -xf wasmtime.tar.xz
chmod +x ${WASMTIME_NAME}/wasmtime
mkdir -p $HOME/.cache/wasmtime
# Register wasmtime as the wasm binary format handler.
- run: echo -n ":wasm32-wasi:M::\x00asm:\xff\xff\xff\xff:$(pwd)/${WASMTIME_NAME}/wasmtime:" | sudo tee /proc/sys/fs/binfmt_misc/register
- run: echo "build --config=wasi-wasm" >.bazelrc.local
- run: echo "build --config=buildbuddy-cache-upload --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_API_KEY}" >>.bazelrc.local
env:
BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
- run: bazel test ...
macos:
strategy:
fail-fast: false
matrix:
include:
- os: macos-15
runs-on: ${{ matrix.os }}
timeout-minutes: 30
steps:
- uses: actions/checkout@v4
- run: echo "build --config=buildbuddy-cache-upload --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_API_KEY}" >.bazelrc.local
env:
BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
- run: bazelisk test //...
- name: Run tui
run: |
echo "<html><body><h1>Example</h1><p>This is an example page.</p></body></html>" >example.html
bazelisk run browser:tui file://$(pwd)/example.html
- run: bazelisk run browser -- --exit-after-load file://$(pwd)/example.html
windows-msvc:
runs-on: windows-2025
timeout-minutes: 30
defaults:
run:
shell: bash
steps:
- uses: actions/checkout@v4
- uses: actions/cache@v4
with:
path: ~/.cache/bazel
key: windows_msvc-${{ hashFiles('.bazelversion', 'MODULE.bazel', 'third_party/**') }}
- run: echo "build --disk_cache ~/.cache/bazel" >.bazelrc.local
- run: echo "build --config=buildbuddy-cache-upload --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_API_KEY}" >>.bazelrc.local
env:
BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
- name: Test
run: bazel test ... -c dbg
- name: Run tui
run: |
echo "<html><body><h1>Example</h1><p>This is an example page.</p></body></html>" >example.html
python3 -m http.server --bind localhost 12345 &
sleep 5 # Sometimes the server isn't ready by the time the tui starts.
bazel run browser:tui -c dbg http://localhost:12345/example.html
- run: bazel run browser -c dbg -- --exit-after-load http://localhost:12345/example.html
windows-clang-cl:
runs-on: windows-2025
timeout-minutes: 30
defaults:
run:
shell: bash
steps:
- uses: actions/checkout@v4
- uses: actions/cache@v4
with:
path: ~/.cache/bazel
key: windows_clang_cl-${{ hashFiles('.bazelversion', 'MODULE.bazel', 'third_party/**') }}
- run: echo "build --config clang-cl" >.bazelrc.local
- run: echo "build --disk_cache ~/.cache/bazel" >>.bazelrc.local
- run: echo "build --config=buildbuddy-cache-upload --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_API_KEY}" >>.bazelrc.local
env:
BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
- run: bazel test ...
- name: Run tui
run: |
echo "<html><body><h1>Example</h1><p>This is an example page.</p></body></html>" >example.html
python3 -m http.server --bind localhost 12345 &
sleep 5 # Sometimes the server isn't ready by the time the tui starts.
bazel run browser:tui http://localhost:12345/example.html
- run: bazel run browser -- --exit-after-load http://localhost:12345/example.html
pre-commit:
runs-on: ubuntu-24.04
timeout-minutes: 5
steps:
- uses: actions/checkout@v4
- run: pipx install pre-commit==4.0.1
- run: pre-commit run --all-files
clang-format:
runs-on: ubuntu-24.04
timeout-minutes: 5
steps:
- uses: actions/checkout@v4
- name: Set up the llvm repository
run: |
wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add -
sudo apt-add-repository "deb http://apt.llvm.org/noble/ llvm-toolchain-noble-19 main"
- run: sudo apt-get update && sudo apt-get install --no-install-recommends clang-format-19
- run: find . -name "*.h" -o -name "*.cpp" | xargs clang-format-19 -style=file -i
- run: git diff --exit-code
clang-tidy:
runs-on: ubuntu-24.04
timeout-minutes: 45
steps:
- uses: actions/checkout@v4
- uses: actions/cache@v4
with:
path: ~/.cache/bazel
key: clang_tidy-${{ hashFiles('.bazelversion', 'MODULE.bazel', 'third_party/**') }}
- name: Set up the llvm repository
run: |
wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add -
sudo apt-add-repository "deb http://apt.llvm.org/noble/ llvm-toolchain-noble-19 main"
- run: sudo apt-get update && sudo apt-get install --no-install-recommends clang-tidy-19 libc++abi-19-dev libc++-19-dev
- run: echo "CC=clang-19" >>$GITHUB_ENV && echo "CXX=clang++-19" >>$GITHUB_ENV
- run: |
sudo update-alternatives --install /usr/bin/clang-tidy clang-tidy /usr/bin/clang-tidy-19 100
sudo update-alternatives --set clang-tidy /usr/bin/clang-tidy-19
update-alternatives --query clang-tidy
clang-tidy --version
- run: bazel build ... --config libc++ --config clang-tidy --config buildbuddy-cache-upload --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_API_KEY} --keep_going
env:
BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
buildifier:
runs-on: ubuntu-24.04
timeout-minutes: 5
steps:
- uses: actions/checkout@v4
- name: Install
run: |
wget --output-document=buildifier https://github.com/bazelbuild/buildtools/releases/download/v8.0.1/buildifier-linux-amd64
sudo chmod +x buildifier
- name: Check
run: ./buildifier --lint=warn --warnings=all -mode diff $(find . -type f -iname "*.BUILD" -or -iname BUILD -or -iname "*.bzl" -or -iname "*.bazel")
prettier:
runs-on: ubuntu-24.04
timeout-minutes: 5
steps:
- uses: actions/checkout@v4
- run: npm install --global [email protected]
# Prettier thinks our fragment shaders are JS-something and complains
# about syntax errors.
- run: npx prettier --ignore-path .gitignore --write . '!**/*.frag'
- run: git diff --exit-code
shfmt:
runs-on: ubuntu-24.04
timeout-minutes: 5
steps:
- uses: actions/checkout@v4
- run: wget --output-document=shfmt https://github.com/mvdan/sh/releases/download/v3.10.0/shfmt_v3.10.0_linux_amd64 && chmod +x shfmt
- run: ./shfmt -i 2 -w $(./shfmt -f .)
- run: git diff --exit-code
gitlint:
runs-on: ubuntu-24.04
timeout-minutes: 5
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- run: pipx install gitlint-core==0.19.1
- run: gitlint --commits origin/master..
concurrency:
group: ${{ github.head_ref || github.run_id }}
cancel-in-progress: true