doc/godebug.md | 7 +++++++ src/internal/godebugs/table.go | 1 + src/net/url/url.go | 23 +++++++++++++++++++++++ src/net/url/url_test.go | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ src/runtime/metrics/doc.go | 5 +++++ diff --git a/doc/godebug.md b/doc/godebug.md index 28a2dc506ef8fff8d650370d0fb541951d259017..184e161c40ab210acdfa404cd623b88699abae5f 100644 --- a/doc/godebug.md +++ b/doc/godebug.md @@ -163,6 +163,13 @@ `httpcookiemaxnum=0` will allow the cookie parsing to accept an indefinite number of cookies. To avoid denial of service attacks, this setting and default was backported to Go 1.25.2 and Go 1.24.8. +Go 1.26 added a new `urlmaxqueryparams` setting that controls the maximum number +of query parameters that net/url will accept when parsing a URL-encoded query string. +If the number of parameters exceeds the number set in `urlmaxqueryparams`, +parsing will fail early. The default value is `urlmaxqueryparams=10000`. +Setting `urlmaxqueryparams=0`bles the limit. To avoid denial of service attacks, +this setting and default was backported to Go 1.25.4 and Go 1.24.10. + Go 1.26 added a new `urlstrictcolons` setting that controls whether `net/url.Parse` allows malformed hostnames containing colons outside of a bracketed IPv6 address. The default `urlstrictcolons=1` rejects URLs such as `http://localhost:1:2` or `http://::1/`. diff --git a/src/internal/godebugs/table.go b/src/internal/godebugs/table.go index 8f6d8bbdda656c853f7b5ef36f8e7ddb292e10ad..87b499385a7cdc9054caab71303db43b216ec33a 100644 --- a/src/internal/godebugs/table.go +++ b/src/internal/godebugs/table.go @@ -69,6 +69,7 @@ {Name: "tlssecpmlkem", Package: "crypto/tls", Changed: 26, Old: "0", Opaque: true}, {Name: "tlssha1", Package: "crypto/tls", Changed: 25, Old: "1"}, {Name: "tlsunsafeekm", Package: "crypto/tls", Changed: 22, Old: "1"}, {Name: "updatemaxprocs", Package: "runtime", Changed: 25, Old: "0"}, + {Name: "urlmaxqueryparams", Package: "net/url", Changed: 24, Old: "0"}, {Name: "urlstrictcolons", Package: "net/url", Changed: 26, Old: "0"}, {Name: "winreadlinkvolume", Package: "os", Changed: 23, Old: "0"}, {Name: "winsymlink", Package: "os", Changed: 23, Old: "0"}, diff --git a/src/net/url/url.go b/src/net/url/url.go index 3acd202c2477f64a709fc1167cb20b9db153d5ba..202957a3a2d8bc4c2509a60dd58a096f0521375b 100644 --- a/src/net/url/url.go +++ b/src/net/url/url.go @@ -929,7 +929,30 @@ err := parseQuery(m, query) return m, err } +var urlmaxqueryparams = godebug.New("urlmaxqueryparams") + +const defaultMaxParams = 10000 + +func urlParamsWithinMax(params int) bool { + withinDefaultMax := params <= defaultMaxParams + if urlmaxqueryparams.Value() == "" { + return withinDefaultMax + } + customMax, err := strconv.Atoi(urlmaxqueryparams.Value()) + if err != nil { + return withinDefaultMax + } + withinCustomMax := customMax == 0 || params < customMax + if withinDefaultMax != withinCustomMax { + urlmaxqueryparams.IncNonDefault() + } + return withinCustomMax +} + func parseQuery(m Values, query string) (err error) { + if !urlParamsWithinMax(strings.Count(query, "&") + 1) { + return errors.New("number of URL query parameters exceeded limit") + } for query != "" { var key string key, query, _ = strings.Cut(query, "&") diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go index bb48bb6bee627eb2cade9c2202dd9e0d63841a3c..d099353eb2618cce57e13c7ce8140471ba8ec187 100644 --- a/src/net/url/url_test.go +++ b/src/net/url/url_test.go @@ -1521,6 +1521,54 @@ }) } } +func TestParseQueryLimits(t *testing.T) { + for _, test := range []struct { + params int + godebug string + wantErr bool + }{{ + params: 10, + wantErr: false, + }, { + params: defaultMaxParams, + wantErr: false, + }, { + params: defaultMaxParams + 1, + wantErr: true, + }, { + params: 10, + godebug: "urlmaxqueryparams=9", + wantErr: true, + }, { + params: defaultMaxParams + 1, + godebug: "urlmaxqueryparams=0", + wantErr: false, + }} { + t.Setenv("GODEBUG", test.godebug) + want := Values{} + var b strings.Builder + for i := range test.params { + if i > 0 { + b.WriteString("&") + } + p := fmt.Sprintf("p%v", i) + b.WriteString(p) + want[p] = []string{""} + } + query := b.String() + got, err := ParseQuery(query) + if gotErr, wantErr := err != nil, test.wantErr; gotErr != wantErr { + t.Errorf("GODEBUG=%v ParseQuery(%v params) = %v, want error: %v", test.godebug, test.params, err, wantErr) + } + if err != nil { + continue + } + if got, want := len(got), test.params; got != want { + t.Errorf("GODEBUG=%v ParseQuery(%v params): got %v params, want %v", test.godebug, test.params, got, want) + } + } +} + type RequestURITest struct { url *URL out string diff --git a/src/runtime/metrics/doc.go b/src/runtime/metrics/doc.go index ca032f51b13533bae06f284ea5916759ce0e5199..6b774c36f35df5de7141c0da82470f24510c0284 100644 --- a/src/runtime/metrics/doc.go +++ b/src/runtime/metrics/doc.go @@ -404,6 +404,11 @@ /godebug/non-default-behavior/updatemaxprocs:events The number of non-default behaviors executed by the runtime package due to a non-default GODEBUG=updatemaxprocs=... setting. + /godebug/non-default-behavior/urlmaxqueryparams:events + The number of non-default behaviors executed by the net/url + package due to a non-default GODEBUG=urlmaxqueryparams=... + setting. + /godebug/non-default-behavior/urlstrictcolons:events The number of non-default behaviors executed by the net/url package due to a non-default GODEBUG=urlstrictcolons=...