Skip to content

feat(javascript): add configurable size guardrails#3426

Open
shiavm006 wants to merge 5 commits intoapache:mainfrom
shiavm006:js-size-guardrails
Open

feat(javascript): add configurable size guardrails#3426
shiavm006 wants to merge 5 commits intoapache:mainfrom
shiavm006:js-size-guardrails

Conversation

@shiavm006
Copy link

@shiavm006 shiavm006 commented Feb 26, 2026

Summary

  • Add configurable size guardrails for JavaScript deserialization to protect against untrusted payloads driving large allocations.
  • Introduce new Config fields for string byte length, collection length, and map entry count.
  • Enforce these limits in the JS reader and codegen-based deserialization paths.

Related issues #3414

@shiavm006 shiavm006 changed the title [JAVASCRIPT] add configurable size guardrails feat(javascript): add configurable size guardrails Feb 26, 2026
@shiavm006
Copy link
Author

shiavm006 commented Feb 26, 2026

@chaokunyang just check it once

@chaokunyang
Copy link
Collaborator

chaokunyang commented Feb 26, 2026

@shiavm006 Please make all ci pass before request the code review

@chaokunyang
Copy link
Collaborator

chaokunyang commented Feb 26, 2026

and there is not tests, which also need be addressed

@shiavm006
Copy link
Author

shiavm006 commented Feb 26, 2026

@shiavm006 Please make all ci pass before request the code review

ya i am sorry for that willmake sure of that from next time

@shiavm006
Copy link
Author

shiavm006 commented Feb 26, 2026
edited
Loading

i think now u can ci check i have fixed them there was some syntax error that was some issue in logic fixed that

@shiavm006
Copy link
Author

shiavm006 commented Feb 26, 2026

@chaokunyang @theweipeng could u check this out once

theweipeng
theweipeng reviewed Feb 28, 2026
View reviewed changes
javascript/packages/fory/lib/gen/map.ts
const maxEntriesVar = this.scope.uniqueName("maxMapEntries");
return `
let ${count} = ${this.builder.reader.readVarUint32Small7()};
const ${maxEntriesVar} = ${foryName}.config.maxMapEntries;
Copy link
Member

@theweipeng theweipeng Feb 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can generate fixed code.
`
if (${count} > ${this.fory.config.maxMapEntries}) {

}
the code generated will be like:
if (count > 10) {
}
`

Copy link
Member

@theweipeng theweipeng Feb 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Try to calculate the constants well during the code generation stage to reduce the consumption in runtime

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@theweipeng theweipeng theweipeng left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@shiavm006 @chaokunyang @theweipeng