jchampio
diff --git a/‎src/test/python/client/test_oauth.py
Lines changed: 68 additions & 6 deletions b/‎src/test/python/client/test_oauth.py
Lines changed: 68 additions & 6 deletions
diff --git a/‎src/test/python/requirements.txt
Lines changed: 1 addition & 1 deletion b/‎src/test/python/requirements.txt
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/test/python/test_pq3.py
Lines changed: 28 additions & 28 deletions b/‎src/test/python/test_pq3.py
Lines changed: 28 additions & 28 deletions
@@ -1538,6 +1538,16 @@ def alt_patterns(*patterns):
             r"failed to obtain device authorization: response is too large",
             id="gigantic authz response",
         ),
+        pytest.param(
+            (200, RawResponse('{"":' + "[" * 16)),
+            r"failed to parse device authorization: JSON is too deeply nested",
+            id="overly nested authz response array",
+        ),
+        pytest.param(
+            (200, RawResponse('{"":' * 17)),
+            r"failed to parse device authorization: JSON is too deeply nested",
+            id="overly nested authz response object",
+        ),
         pytest.param(
             (400, {}),
             r'failed to parse token error response: field "error" is missing',
@@ -1709,6 +1719,16 @@ def token_endpoint(headers, params):
             r"failed to obtain access token: response is too large",
             id="gigantic token response",
         ),
+        pytest.param(
+            (200, RawResponse('{"":' + "[" * 16)),
+            r"failed to parse access token response: JSON is too deeply nested",
+            i
57AE
d="overly nested token response array",
+        ),
+        pytest.param(
+            (200, RawResponse('{"":' * 17)),
+            r"failed to parse access token response: JSON is too deeply nested",
+            id="overly nested token response object",
+        ),
         pytest.param(
             (400, {}),
             r'failed to parse token error response: field "error" is missing',
@@ -2004,7 +2024,7 @@ def token_endpoint(headers, params):
             id="bad JSON: invalid syntax",
         ),
         pytest.param(
-            b"\xFF\xFF\xFF\xFF",
+            b"\xff\xff\xff\xff",
             "server's error response is not valid UTF-8",
             id="bad JSON: invalid encoding",
         ),
@@ -2146,7 +2166,7 @@ def test_oauth_discovery_server_error(accept, response, expected_error):
             id="NULL bytes in document",
         ),
         pytest.param(
-            (200, RawBytes(b"blah\xFFblah")),
+            (200, RawBytes(b"blah\xffblah")),
             r"failed to parse OpenID discovery document: response is not valid UTF-8",
             id="document is not UTF-8",
         ),
@@ -2288,6 +2308,22 @@ def test_oauth_discovery_server_error(accept, response, expected_error):
             r"failed to fetch OpenID discovery document: response is too large",
             id="gigantic discovery response",
         ),
+        pytest.param(
+            (
+                200,
+                RawResponse('{"":' + "[" * 16),
+            ),
+            r"failed to parse OpenID discovery document: JSON is too deeply nested",
+            id="overly nested discovery response array",
+        ),
+        pytest.param(
+            (
+                200,
+                RawResponse('{"":' * 17),
+            ),
+            r"failed to parse OpenID discovery document: JSON is too deeply nested",
+            id="overly nested discovery response object",
+        ),
         pytest.param(
             (
                 200,
@@ -2382,6 +2418,15 @@ def failing_discovery_handler(headers, params):
             "server rejected OAuth bearer token: invalid_request",
             id="standard server error: invalid_request",
         ),
+        pytest.param(
+            {"": [[[[[[[]]]]]]], "status": "invalid_request"},
+            pq3.types.ErrorResponse,
+            dict(
+                fields=[b"SFATAL", b"C28000", b"Mexpected error message", b""],
+            ),
+            "server rejected OAuth bearer token: invalid_request",
+            id="standard server error: invalid_request with ignored array",
+        ),
         pytest.param(
             {"status": "invalid_token"},
             pq3.types.ErrorResponse,
@@ -2412,6 +2457,20 @@ def failing_discovery_handler(headers, params):
             "duplicate SASL authentication request",
             id="broken server: SASL reinitialization after error",
         ),
+        pytest.param(
+            RawResponse('{"":' + "[" * 8),
+            pq3.types.AuthnRequest,
+            dict(type=pq3.authn.SASL, body=[b"OAUTHBEARER", b""]),
+            "JSON is too deeply nested",
+            id="broken server: overly nested JSON response array",
+        ),
+        pytest.param(
+            RawResponse('{"":' * 9),
+            pq3.types.AuthnRequest,
+            dict(type=pq3.authn.SASL, body=[b"OAUTHBEARER", b""]),
+            "JSON is too deeply nested",
+            id="broken server: overly nested JSON response object",
+        ),
     ],
 )
 def test_oauth_server_error(
@@ -2439,12 +2498,15 @@ def bearer_hook(typ, pgconn, request):
             start_oauth_handshake(conn)
 
             # Ignore the client data. Return an error "challenge".
-            if "openid-configuration" in sasl_err:
-                sasl_err["openid-configuration"] = wkuri
+            if isinstance(sasl_err, RawResponse):
+                resp = sasl_err
+            else:
+                if "openid-configuration" in sasl_err:
+                    sasl_err["openid-configuration"] = wkuri
 
-            resp = json.dumps(sasl_err)
-            resp = resp.encode("utf-8")
+                resp = json.dumps(sasl_err)
 
+            resp = resp.encode("utf-8")
             pq3.send(
                 conn, pq3.types.AuthnRequest, type=pq3.authn.SASLContinue, body=resp
             )
 
@@ -1,4 +1,4 @@
-black
+black~=25.0
 # cryptography 35.x and later add many platform/toolchain restrictions, beware
 cryptography~=3.4.8
 # TODO: figure out why 2.10.70 broke things
 
@@ -39,7 +39,7 @@
             id="1-byte payload and extra padding",
         ),
         pytest.param(
-            b"\x00\x00\x00\x0B\x00\x03\x00\x00hi\x00",
+            b"\x00\x00\x00\x0b\x00\x03\x00\x00hi\x00",
             Container(len=11, proto=pq3.protocol(3, 0), payload=[b"hi"]),
             b"",
             id="implied parameter list when using proto version 3.0",
@@ -64,7 +64,7 @@ def test_Startup_parse(raw, expected, extra):
         ),
         pytest.param(
             dict(len=10, proto=0x12345678),
-            b"\x00\x00\x00\x0A\x12\x34\x56\x78\x00\x00",
+            b"\x00\x00\x00\x0a\x12\x34\x56\x78\x00\x00",
             id="len and proto set explicitly",
         ),
         pytest.param(
@@ -74,7 +74,7 @@ def test_Startup_parse(raw, expected, extra):
         ),
         pytest.param(
             dict(proto=0x12345678, payload=b"abcd"),
-            b"\x00\x00\x00\x0C\x12\x34\x56\x78abcd",
+            b"\x00\x00\x00\x0c\x12\x34\x56\x78abcd",
             id="implied len with payload",
         ),
         pytest.param(
@@ -84,7 +84,7 @@ def test_Startup_parse(raw, expected, extra):
         ),
         pytest.param(
             dict(payload=[b"hi", b""]),
-            b"\x00\x00\x00\x0C\x00\x03\x00\x00hi\x00\x00",
+            b"\x00\x00\x00\x0c\x00\x03\x00\x00hi\x00\x00",
             id="implied proto version 3 and len when sending more than one parameter",
         ),
         pytest.param(
@@ -131,7 +131,7 @@ def test_Startup_build(packet, expected_bytes):
             id="AuthenticationOk",
         ),
         pytest.param(
-            b"R\x00\x00\x00\x12\x00\x00\x00\x0AEXTERNAL\x00\x00",
+            b"R\x00\x00\x00\x12\x00\x00\x00\x0aEXTERNAL\x00\x00",
             dict(
                 type=pq3.types.AuthnRequest,
                 len=18,
@@ -141,7 +141,7 @@ def test_Startup_build(packet, expected_bytes):
             id="AuthenticationSASL",
         ),
         pytest.param(
-            b"R\x00\x00\x00\x0D\x00\x00\x00\x0B12345",
+            b"R\x00\x00\x00\x0d\x00\x00\x00\x0b12345",
             dict(
                 type=pq3.types.AuthnRequest,
                 len=13,
@@ -151,7 +151,7 @@ def test_Startup_build(packet, expected_bytes):
             id="AuthenticationSASLContinue",
         ),
         pytest.param(
-            b"R\x00\x00\x00\x0D\x00\x00\x00\x0C12345",
+            b"R\x00\x00\x00\x0d\x00\x00\x00\x0c12345",
             dict(
                 type=pq3.types.AuthnRequest,
                 len=13,
@@ -161,7 +161,7 @@ def test_Startup_build(packet, expected_bytes):
             id="AuthenticationSASLFinal",
         ),
         pytest.param(
-            b"p\x00\x00\x00\x0Bhunter2",
+            b"p\x00\x00\x00\x0bhunter2",
             dict(
                 type=pq3.types.PasswordMessage,
                 len=11,
@@ -171,7 +171,7 @@ def test_Startup_build(packet, expected_bytes):
             id="PasswordMessage",
         ),
         pytest.param(
-            b"K\x00\x00\x00\x0C\x00\x00\x00\x00\x12\x34\x56\x78",
+            b"K\x00\x00\x00\x0c\x00\x00\x00\x00\x12\x34\x56\x78",
             dict(
                 type=pq3.types.BackendKeyData,
                 len=12,
@@ -219,7 +219,7 @@ def test_Startup_build(packet, expected_bytes):
             id="Query",
         ),
         pytest.param(
-            b"D\x00\x00\x00\x0B\x00\x01\x00\x00\x00\x01!",
+            b"D\x00\x00\x00\x0b\x00\x01\x00\x00\x00\x01!",
             dict(type=pq3.types.DataRow, len=11, payload=dict(columns=[b"!"])),
             b"",
             id="DataRow",
@@ -237,9 +237,9 @@ def test_Startup_build(packet, expected_bytes):
             id="EmptyQueryResponse",
         ),
         pytest.param(
-            b"I\x00\x00\x00\x04\xFF",
+            b"I\x00\x00\x00\x04\xff",
             dict(type=b"I", len=4, payload=None),
-            b"\xFF",
+            b"\xff",
             id="EmptyQueryResponse with extra bytes",
         ),
         pytest.param(
@@ -278,7 +278,7 @@ def test_Pq3_parse(raw, expected, extra):
         ),
         pytest.param(
             dict(type=b"*", len=12, payload=b"1234"),
-            b"*\x00\x00\x00\x0C1234",
+            b"*\x00\x00\x00\x0c1234",
             id="overridden len (payload underflow)",
         ),
         pytest.param(
@@ -299,36 +299,36 @@ def test_Pq3_parse(raw, expected, extra):
                     body=[b"SCRAM-SHA-256-PLUS", b"SCRAM-SHA-256", b""],
                 ),
             ),
-            b"R\x00\x00\x00\x2A\x00\x00\x00\x0ASCRAM-SHA-256-PLUS\x00SCRAM-SHA-256\x00\x00",
+            b"R\x00\x00\x00\x2a\x00\x00\x00\x0aSCRAM-SHA-256-PLUS\x00SCRAM-SHA-256\x00\x00",
             id="implied len/type for AuthenticationSASL",
         ),
         pytest.param(
             dict(
                 type=pq3.types.AuthnRequest,
                 payload=dict(type=pq3.authn.SASLContinue, body=b"12345"),
             ),
-            b"R\x00\x00\x00\x0D\x00\x00\x00\x0B12345",
+            b"R\x00\x00\x00\x0d\x00\x00\x00\x0b12345",
             id="implied len/type for AuthenticationSASLContinue",
         ),
         pytest.param(
             dict(
                 type=pq3.types.AuthnRequest,
                 payload=dict(type=pq3.authn.SASLFinal, body=b"12345"),
             ),
-            b"R\x00\x00\x00\x0D\x00\x00\x00\x0C12345",
+            b"R\x00\x00\x00\x0d\x00\x00\x00\x0c12345",
             id="implied len/type for AuthenticationSASLFinal",
         ),
         pytest.param(
             dict(
                 type=pq3.types.PasswordMessage,
                 payload=b"hunter2",
             ),
-            b"p\x00\x00\x00\x0Bhunter2",
+            b"p\x00\x00\x00\x0bhunter2",
             id="implied len/type for PasswordMessage",
         ),
         pytest.param(
             dict(type=pq3.types.BackendKeyData, payload=dict(pid=1, key=7)),
-            b"K\x00\x00\x00\x0C\x00\x00\x00\x01\x00\x00\x00\x07",
+            b"K\x00\x00\x00\x0c\x00\x00\x00\x01\x00\x00\x00\x07",
             id="implied len/type for BackendKeyData",
         ),
         pytest.param(
@@ -338,7 +338,7 @@ def test_Pq3_parse(raw, expected, extra):
         ),
         pytest.param(
             dict(type=pq3.types.ErrorResponse, payload=dict(fields=[b"error", b""])),
-            b"E\x00\x00\x00\x0Berror\x00\x00",
+            b"E\x00\x00\x00\x0berror\x00\x00",
             id="implied len/type for ErrorResponse",
         ),
         pytest.param(
@@ -358,7 +358,7 @@ def test_Pq3_parse(raw, expected, extra):
         ),
         pytest.param(
             dict(type=pq3.types.DataRow, payload=dict(columns=[b"abcd"])),
-            b"D\x00\x00\x00\x0E\x00\x01\x00\x00\x00\x04abcd",
+            b"D\x00\x00\x00\x0e\x00\x01\x00\x00\x00\x04abcd",
             id="implied len/type for DataRow",
         ),
         pytest.param(
@@ -406,7 +406,7 @@ def test_Pq3_build(fields, expected):
             id="empty column value",
         ),
         pytest.param(
-            b"\x00\x02\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF",
+            b"\x00\x02\xff\xff\xff\xff\xff\xff\xff\xff",
             dict(columns=[None, None]),
             b"",
             id="null columns",
@@ -433,7 +433,7 @@ def test_DataRow_parse(raw, expected, extra):
         ),
         pytest.param(
             dict(columns=[None, None]),
-            b"\x00\x02\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF",
+            b"\x00\x02\xff\xff\xff\xff\xff\xff\xff\xff",
             id="null columns",
         ),
     ],
@@ -449,7 +449,7 @@ def test_DataRow_build(fields, expected):
     "raw,expected,exception",
     [
         pytest.param(
-            b"EXTERNAL\x00\xFF\xFF\xFF\xFF",
+            b"EXTERNAL\x00\xff\xff\xff\xff",
             dict(name=b"EXTERNAL", len=-1, data=None),
             None,
             id="no initial response",
@@ -467,7 +467,7 @@ def test_DataRow_build(fields, expected):
             id="extra data",
         ),
         pytest.param(
-            b"EXTERNAL\x00\x00\x00\x00\xFFme",
+            b"EXTERNAL\x00\x00\x00\x00\xffme",
             None,
             StreamError,
             id="underflow",
@@ -489,12 +489,12 @@ def test_SASLInitialResponse_parse(raw, expected, exception):
     [
         pytest.param(
             dict(name=b"EXTERNAL"),
-            b"EXTERNAL\x00\xFF\xFF\xFF\xFF",
+            b"EXTERNAL\x00\xff\xff\xff\xff",
             id="no initial response",
         ),
         pytest.param(
             dict(name=b"EXTERNAL", data=None),
-            b"EXTERNAL\x00\xFF\xFF\xFF\xFF",
+            b"EXTERNAL\x00\xff\xff\xff\xff",
             id="no initial response (explicit None)",
         ),
         pytest.param(
@@ -504,7 +504,7 @@ def test_SASLInitialResponse_parse(raw, expected, exception):
         ),
         pytest.param(
             dict(name=b"EXTERNAL", data=b"me@example.com"),
-            b"EXTERNAL\x00\x00\x00\x00\x0Eme@example.com",
+            b"EXTERNAL\x00\x00\x00\x00\x0eme@example.com",
             id="initial response",
         ),
         pytest.param(
@@ -514,7 +514,7 @@ def test_SASLInitialResponse_parse(raw, expected, exception):
         ),
         pytest.param(
             dict(name=b"EXTERNAL", len=14, data=b"me"),
-            b"EXTERNAL\x00\x00\x00\x00\x0Eme",
+            b"EXTERNAL\x00\x00\x00\x00\x0eme",
             id="data underflow",
         ),
     ],
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-black`
	`1`	`+black~=25.0`
`2`	`2`	`# cryptography 35.x and later add many platform/toolchain restrictions, beware`
`3`	`3`	`cryptography~=3.4.8`
`4`	`4`	`# TODO: figure out why 2.10.70 broke things`