Summary
The analyze function in backend/app/services/ast_analyzer.py utilizes the standard library ast.parse() to analyze incoming Python code snippets. However, ast.parse() is vulnerable to C-level stack exhaustion when provided with extremely deeply nested expressions (e.g., ((((...))))). This crashes the underlying CPython process, causing a complete Denial of Service for the application server.
Impact
An attacker can submit a relatively small payload containing 5000+ nested brackets, crashing the FastAPI server worker instantly without memory or CPU warning.
Proposed Fix
Implement a pre-flight depth check to abort parsing if consecutive opening brackets exceed a safe limit (e.g., 150) before executing ast.parse().
Summary
The
analyzefunction inbackend/app/services/ast_analyzer.pyutilizes the standard libraryast.parse()to analyze incoming Python code snippets. However,ast.parse()is vulnerable to C-level stack exhaustion when provided with extremely deeply nested expressions (e.g.,((((...))))). This crashes the underlying CPython process, causing a complete Denial of Service for the application server.Impact
An attacker can submit a relatively small payload containing 5000+ nested brackets, crashing the FastAPI server worker instantly without memory or CPU warning.
Proposed Fix
Implement a pre-flight depth check to abort parsing if consecutive opening brackets exceed a safe limit (e.g., 150) before executing
ast.parse().