miantalha45 opened a new pull request, #3382:
URL: https://github.com/apache/fory/pull/3382
## What does this PR do?
Adds depth limiting for deserialization to prevent stack overflow and
denial-of-service attacks from maliciously crafted deeply nested data
structures.
## Why is this needed?
Without depth limits, an attacker could send deeply nested serialized data
that causes stack overflow during deserialization, crashing the application or
causing resource exhaustion.
## Implementation
- Added `maxDepth` config option (default: 50, minimum: 2)
- Depth tracked only during deserialization (security-focused)
- Integrated into code generator with try/finally for proper cleanup
- Comprehensive test coverage (29 tests)
## Usage
```typescript
const fory = new Fory({ maxDepth: 100 });
## Consistency
Follows the same pattern as Java and Python implementations for
cross-language alignment.
Fixes #3335
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
