75a05fc2b3
This series fixes two vulnerabilities: unbounded recursion during expression evaluation with deeply nested expressions quadratic computation with large WHERE clauses The fixes simply bound the depth of recursion and the length of the WHERE clause. The WHERE clause limits are configurable. Nesting is less likely to be exceeded, so not configurable. Limits inspired by Common Expression Language: https://github.com/google/cel-spec/blob/master/doc/langdef.md#syntax Implementations are required to support at least: 24-32 repetitions of repeating rules 12 repetitions of recursive rules CVE-2026-31948 CVE-2026-31947 Fixes https://scylladb.atlassian.net/browse/SCYLLADB-1003 Fixes https://scylladb.atlassian.net/browse/SCYLLADB-1002 Fixes https://github.com/scylladb/scylladb/issues/14472 Closes scylladb/scylladb-ghsa-m4h7-g37h-mgxf#3 * github.com:scylladb/scylladb-ghsa-m4h7-g37h-mgxf: cql3: limit number of relations in WHERE clause cql3: add max_relations_in_where_clause to dialect test/cqlpy: add tests for WHERE clause relation count limit cql3: limit nesting depth of function calls and CASTs in CQL parser test/cqlpy: add tests for deeply nested function calls and CASTs
Scylla in-source tests.
For details on how to run the tests, see docs/dev/testing.md
Shared C++ utils, libraries are in lib/, for Python - pylib/
alternator - Python tests which connect to a single server and use the DynamoDB API unit, boost, raft - unit tests in C++ cqlpy - Python tests which connect to a single server and use CQL topology* - tests that set up clusters and add/remove nodes cql - approval tests that use CQL and pre-recorded output rest_api - tests for Scylla REST API Port 9000 scylla-gdb - tests for scylla-gdb.py helper script nodetool - tests for C++ implementation of nodetool
If you can use an existing folder, consider adding your test to it. New folders should be used for new large categories/subsystems, or when the test environment is significantly different from some existing suite, e.g. you plan to start scylladb with different configuration, and you intend to add many tests and would like them to reuse an existing Scylla cluster (clusters can be reused for tests within the same folder).
To add a new folder, create a new directory, and then
copy & edit its suite.ini.