-
Notifications
You must be signed in to change notification settings - Fork 566
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add configurable recursion limit #162
Comments
Relevant issue: serde-rs/serde#82 |
I added a recursion limit of 128 in #163. Are there any use cases that require this to be configurable? |
Nobody has complained. |
Hi I would like to possibly complain. I see that an option to disable the recursion limit was added https://docs.rs/serde_json/1.0.59/serde_json/struct.Deserializer.html#method.disable_recursion_limit But for my use case, I still want to make sure that there won't be some hugely nested JSON that I would need to deserialize and so I still want a max recursion limit, just one that is higher than the current default. |
obi1kenobi/cargo-semver-checks#108 would also very much benefit from a configurable limit. In particular, a configurable limit is much more palatable than any of the other alternative approaches I can see, listed here: obi1kenobi/cargo-semver-checks#108 (comment) |
It would be really nice to provide better protection from serialization attacks by allowing the nesting to be defined on a per-type level. Consider e.g. this example:
Now consider some attacker constructs a Also, one can imagine type layouts and encodings where a too deeply nested recursive type leads to a "decompression bomb". That is you have a relative small binary encoding, but if its deserialized it expands to something much larger leading to OOM. In such cases, you'd like to restrict the nesting depth to a significant smaller value than the current default. |
I am now complaining, @dtolnay, because the error message confused the heck out of me. And, it was hard for me to find out what exactly was the cause of the error. I thought this recursion limit was something Rustc injected. Obviously, that was laughable. But, it would be nice to have a better error message and documentation. Suggestions on error message and documentation:
Suggestions on configurable recursion limit:
|
We've talked about this before, but apparently we don't have a ticket. We should add a configurable depth counter to allow deserializers to limit how deep of a structure they can deserialize. This would help to avoid stack overflows from maliciously constructed objects.
The text was updated successfully, but these errors were encountered: