Allow specifying a maximum recursion for the deserializer#1072
Open
Allow specifying a maximum recursion for the deserializer#1072
Conversation
Collaborator
|
Well that build failure is unfortunate. I suspect a breaking change or something in gitversion. Looks like an environment variable can be set to fix that. Not sure appveyor works, but I'll see if I can set something. |
Collaborator
|
Also, there's a static deserializer builder now that will need to be updated. |
EdwardCooke
reviewed
Jan 9, 2026
| /// Sets the maximum recursion that is allowed while building the object graph. | ||
| /// </summary> | ||
| /// <remarks> | ||
| /// Setting this limit is stringly recommended when parsing untrusted input since |
Collaborator
There was a problem hiding this comment.
Type-o on stringly. Should probably be strongly.
EdwardCooke
reviewed
Jan 9, 2026
| private bool enforceNullability; | ||
| private bool caseInsensitivePropertyMatching; | ||
| private bool enforceRequiredProperties; | ||
| private int? maximumRecursion; |
Collaborator
There was a problem hiding this comment.
We also need this on the staticdeserializerbuilder. Its used by AoT compiled applications.
Collaborator
|
PR build should be fixed again. |
Owner
Author
|
Thanks for the review, I'll work on the comments in the next days. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds a
WithMaximumRecursionmethod toDeserializerBuilder. It allows to limit the maximum allowed depth when deserializing a document. This is particularly useful when parsing untrusted YAML as allowing unbounded depth may lead to a stack overflow which might crash the process.The signature of the method is the same as the one on
SerializerBuilder, but in this case there is no default limit as adding one would be a breaking change.I did reuse the existing
RecursionLevelclass to control the recursion but had to make a few adjustments as I felt it was useful to have the start and end markers in the exception. It was also necessary to add an overload to the SerializerState class to enable constructors with parameters.I have added a few tests for both methods since the one on
SerializerBuilderdidn't have any.