[3.13] gh-149231: tomllib: Limit the number of parts in a key (GH-149233) (GH-149815) (#149848)

encukou · StanFromIreland · web-flow · commit 743482a87e37 · 2026-06-09T22:20:07.000+02:00
[3.14] gh-149231: tomllib: Limit the number of parts in a key (GH-149233) (GH-149815) (cherry picked from commit bc7c102) (cherry picked from commit 724a5e5) Co-authored-by: Stan Ulbrych <stan@python.org>
diff --git a/Lib/test/test_tomllib/test_misc.py b/Lib/test/test_tomllib/test_misc.py
@@ -113,3 +113,16 @@ def test_inline_table_recursion_limit(self):
                               nest_count=nest_count):
                 recursive_table_toml = nest_count * "key = {" + nest_count * "}"
                 tomllib.loads(recursive_table_toml)
+
+    def test_key_recursion_limit(self):
+        nest_count = tomllib._parser.MAX_KEY_PARTS - 2
+        nested_key_toml = "a." * nest_count + "a = 1"
+        tomllib.loads(nested_key_toml)
+
+        nest_count = tomllib._parser.MAX_KEY_PARTS + 2
+        nested_key_toml = "a." * nest_count + "a = 1"
+        with self.assertRaisesRegex(
+            RecursionError,
+            r"TOML key has more than the allowed [0-9]+ parts",
+        ):
+            tomllib.loads(nested_key_toml)
diff --git a/Lib/tomllib/_parser.py b/Lib/tomllib/_parser.py
@@ -6,8 +6,9 @@
 
 from collections.abc import Iterable
 import string
+import sys
 from types import MappingProxyType
-from typing import Any, BinaryIO, NamedTuple
+from typing import Any, BinaryIO, NamedTuple, Final
 
 from ._re import (
     RE_DATETIME,
@@ -19,6 +20,13 @@
 )
 from ._types import Key, ParseFloat, Pos
 
+# Pathologically excessive number of parts in a key runs into quadratic
+# behavior (e.g. in Flags.is_).
+# Even if keys aren't currently parsed using recursion, they name a
+# recursive structure, so it makes sense to limit it using getrecursionlimit()
+# and RecursionError.
+MAX_KEY_PARTS: Final = sys.getrecursionlimit()
+
 ASCII_CTRL = frozenset(chr(i) for i in range(32)) | frozenset(chr(127))
 
 # Neither of these sets include quotation mark or backslash. They are
@@ -385,6 +393,10 @@ def parse_key(src: str, pos: Pos) -> tuple[Pos, Key]:
         pos = skip_chars(src, pos, TOML_WS)
         pos, key_part = parse_key_part(src, pos)
         key += (key_part,)
+        if len(key) > MAX_KEY_PARTS:
+            raise RecursionError(
+                f"TOML key has more than the allowed {MAX_KEY_PARTS} parts"
+            )
         pos = skip_chars(src, pos, TOML_WS)
 
 
diff --git a/Misc/NEWS.d/next/Library/2026-05-01-16-45-31.gh-issue-149231.x2nBEE.rst b/Misc/NEWS.d/next/Library/2026-05-01-16-45-31.gh-issue-149231.x2nBEE.rst
@@ -0,0 +1 @@
+In :mod:`tomllib`, the number of parts in TOML keys is now limited.

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+In :mod:`tomllib`, the number of parts in TOML keys is now limited.