Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog/68775.fixed.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Remove the integer-to-string conversion limit for `test.fib` function.
6 changes: 6 additions & 0 deletions salt/modules/test.py
Original file line number Diff line number Diff line change
Expand Up @@ -346,6 +346,12 @@ def fib(num):

salt '*' test.fib 3
"""
# Remove the limit on the number of digits in an int,
# as Fibonacci numbers grow very quickly.
# The default limit for integer string conversion is 4300 digits,
# which means that num > 20577 will fail with a ValueError.
sys.set_int_max_str_digits(0)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The sys.set_int_max_str_digits(0) function changes the limit globally for the entire running Python process.

Because this is a standard execution module run by the Salt Minion or Master, executing test.fib will permanently drop the integer conversion security limit to 0 (disabled) for the entire lifelong daemon process. This re-opens the exact CVE vector (global string conversion DoS) that Python intentionally patched.


num = int(num)
if num < 0:
raise ValueError("Negative number is not allowed!")
Expand Down
5 changes: 5 additions & 0 deletions tests/pytests/integration/cli/test_salt_call.py
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,11 @@ def test_fib(salt_call_cli):
assert ret.data[0] == 2


def test_fib_str_limit(salt_call_cli):
ret = salt_call_cli.run("test.fib", "20578")
assert ret.returncode == 0


def test_fib_txt_output(salt_call_cli):
ret = salt_call_cli.run("--output=txt", "test.fib", "3")
assert ret.returncode == 0
Expand Down
Loading