From 483529ee93a3ab510ab579d4d4cc644dba926ade Mon Sep 17 00:00:00 2001
From: princekhunt <info@princekhunt.com>
Date: Wed, 20 Mar 2024 22:12:36 +0530
Subject: [PATCH] limit token size to 250 KB

---
 jose/jwe.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/jose/jwe.py b/jose/jwe.py
index 2c387ff4..1e0833e7 100644
--- a/jose/jwe.py
+++ b/jose/jwe.py
@@ -76,6 +76,11 @@ def decrypt(jwe_str, key):
         >>> jwe.decrypt(jwe_string, 'asecret128bitkey')
         'Hello, World!'
     """
+    
+    # limit the token size to 250 KB
+    if len(jwe_str) > 250 * 1024:
+        raise JWEError("JWE string exceeds 250 KB")
+    
     header, encoded_header, encrypted_key, iv, cipher_text, auth_tag = _jwe_compact_deserialize(jwe_str)
 
     # Verify that the implementation understands and can process all