chaokunyang opened a new issue, #3415: URL: https://github.com/apache/fory/issues/3415
### Feature Request Add configurable deserialization size guardrails in Fory Dart for untrusted payloads. ### Is your feature request related to a problem? Please describe There are currently no configurable limits for payload-driven lengths. Untrusted string/map/list lengths can trigger large allocations and memory pressure. ### Describe the solution you'd like Add configurable size limits to Dart deserialization and enforce them in list/map/string paths. Resolve task: - Add guardrail fields in `dart/packages/fory/lib/src/config/fory_config.dart`. - Enforce collection length limits in `dart/packages/fory/lib/src/serializer/collection/list/list_serializer.dart`. - Enforce map length limits in `dart/packages/fory/lib/src/serializer/collection/map/map_serializer.dart`. - Enforce string byte-length limits in `dart/packages/fory/lib/src/serializer/string_serializer.dart` (and `ByteReader` reads as needed). - Throw a deserialization exception when a configured limit is exceeded. ### Describe alternatives you've considered Relying only on process-level memory limits and VM/runtime behavior. This is late-failing and not protocol-aware. ### Additional context Medium: no configurable size guardrails for untrusted payloads (string/map/list lengths can drive large allocations). Related locations: - `dart/packages/fory/lib/src/config/fory_config.dart:20` - `dart/packages/fory/lib/src/serializer/collection/list/list_serializer.dart:35` - `dart/packages/fory/lib/src/serializer/collection/list/default_list_serializer.dart:52` - `dart/packages/fory/lib/src/serializer/collection/map/map_serializer.dart:53` - `dart/packages/fory/lib/src/serializer/collection/map/map_serializer.dart:54` - `dart/packages/fory/lib/src/serializer/string_serializer.dart:76` - `dart/packages/fory/lib/src/serializer/string_serializer.dart:99` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
