Made parsing of id field of Socket.IO packet faster and more robust

miguelgrinberg · miguelgrinberg · commit 09cb411776b9 · 2021-04-13T00:11:00.000+01:00
diff --git a/socketio/packet.py b/socketio/packet.py
@@ -95,10 +95,16 @@ def decode(self, encoded_packet):
             if q != -1:
                 self.namespace = self.namespace[0:q]
         if ep and ep[0].isdigit():
-            self.id = 0
-            while ep and ep[0].isdigit():
-                self.id = self.id * 10 + int(ep[0])
-                ep = ep[1:]
+            i = 1
+            end = len(ep)
+            while i < end:
+                if not ep[i].isdigit() or i >= 100:
+                    break
+                i += 1
+            self.id = int(ep[:i])
+            ep = ep[i:]
+            if len(ep) > 0 and ep[0].isdigit():
+                raise ValueError('id field is too long')
         if ep:
             self.data = self.json.loads(ep)
         return attachment_count
diff --git a/tests/common/test_packet.py b/tests/common/test_packet.py
@@ -157,6 +157,16 @@ def test_decode_id(self):
         assert pkt.id == 123
         assert pkt.encode() == '2123["foo"]'
 
+    def test_decode_id_long(self):
+        pkt = packet.Packet(encoded_packet='2' + '1' * 100 + '["foo"]')
+        assert pkt.id == int('1' * 100)
+        assert pkt.data == ['foo']
+
+    def test_decode_id_too_long(self):
+        with pytest.raises(ValueError):
+            packet.Packet(encoded_packet='2' + '1' * 101)
+            packet.Packet(encoded_packet='2' + '1' * 101 + '["foo"]')
+
     def test_encode_id_no_data(self):
         pkt = packet.Packet(packet_type=packet.EVENT, id=123)
         assert pkt.id == 123
