[4.3.x] cherrypicks (#1460)

Signed-off-by: Adrian Palacios <accorell@amazon.com> Signed-off-by: Craig Disselkoen <cdiss@amazon.com> Co-authored-by: Adrian Palacios <73246657+adpaco-aws@users.noreply.github.com>
cedar-policy · Feb 7, 2025 · 7a80808 · 7a80808
1 parent 69036a2
commit 7a80808
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 10 deletions.
diff --git a/cedar-policy-core/src/evaluator.rs b/cedar-policy-core/src/evaluator.rs
@@ -34,7 +34,6 @@ use itertools::{Either, Itertools};
 use nonempty::nonempty;
 use smol_str::SmolStr;
 
-#[cfg(not(target_arch = "wasm32"))]
 const REQUIRED_STACK_SPACE: usize = 1024 * 100;
 
 // PANIC SAFETY `Name`s in here are valid `Name`s
@@ -1108,11 +1107,9 @@ impl Value {
 
 #[inline(always)]
 fn stack_size_check() -> Result<()> {
-    #[cfg(not(target_arch = "wasm32"))]
-    {
-        if stacker::remaining_stack().unwrap_or(0) < REQUIRED_STACK_SPACE {
-            return Err(EvaluationError::recursion_limit(None));
-        }
+    // We assume there's enough space if we cannot determine it with `remaining_stack`
+    if stacker::remaining_stack().unwrap_or(REQUIRED_STACK_SPACE) < REQUIRED_STACK_SPACE {
+        return Err(EvaluationError::recursion_limit(None));
     }
     Ok(())
 }

diff --git a/cedar-policy-core/src/evaluator/err.rs b/cedar-policy-core/src/evaluator/err.rs
@@ -321,7 +321,6 @@ impl EvaluationError {
     }
 
     /// Construct a [`RecursionLimit`] error
-    #[cfg(not(target_arch = "wasm32"))]
     pub(crate) fn recursion_limit(source_loc: Option<Loc>) -> Self {
         evaluation_errors::RecursionLimitError { source_loc }.into()
     }

diff --git a/cedar-policy-validator/src/typecheck.rs b/cedar-policy-validator/src/typecheck.rs
@@ -47,7 +47,6 @@ use cedar_policy_core::{
     expr_builder::ExprBuilder as _,
 };
 
-#[cfg(not(target_arch = "wasm32"))]
 const REQUIRED_STACK_SPACE: usize = 1024 * 100;
 
 /// Basic result for typechecking
@@ -352,8 +351,8 @@ impl<'a> SingleEnvTypechecker<'a> {
         e: &'b Expr,
         type_errors: &mut Vec<ValidationError>,
     ) -> TypecheckAnswer<'b> {
-        #[cfg(not(target_arch = "wasm32"))]
-        if stacker::remaining_stack().unwrap_or(0) < REQUIRED_STACK_SPACE {
+        // We assume there's enough space if we cannot determine it with `remaining_stack`
+        if stacker::remaining_stack().unwrap_or(REQUIRED_STACK_SPACE) < REQUIRED_STACK_SPACE {
             return TypecheckAnswer::RecursionLimit;
         }
 

diff --git a/cedar-policy/src/api.rs b/cedar-policy/src/api.rs
@@ -873,6 +873,11 @@ impl Authorizer {
     /// The authorizer uses the `stacker` crate to manage stack size and tries to use a sane default.
     /// If the default is not right for you, you can try wrapping the authorizer or individual calls
     /// to `is_authorized` in `stacker::grow`.
+    /// Note that on platforms not supported by `stacker` (e.g., Wasm, Android),
+    /// the authorizer will simply assume that the stack size is sufficient. As a result, large inputs
+    /// may result in stack overflows and crashing the process.
+    /// But on all platforms supported by `stacker` (Linux, macOS, ...), Cedar will return the
+    /// graceful error `RecursionLimit` instead of crashing.
     /// ```
     /// # use cedar_policy::{Authorizer, Context, Entities, EntityId, EntityTypeName,
     /// # EntityUid, Request,PolicySet};