serde_json::error:: RecursionLimitExceeded exists

[ShadowJonathan]

At https://github.com/serde-rs/json/blob/7ca63e7d5acac348db55c4345cb199f9d658669f/src/error.rs#L240-L241;

    /// Encountered nesting of JSON maps and arrays more than 128 layers deep.
    RecursionLimitExceeded,

I feel this is possible to encounter in the wild in matrix, unintentional or not, so ruma should be able to handle this sorta thing, i'd guess.

[jplatte]

I don't really know what we could do about this 😕

[jplatte]

I wonder whether Synapse / the Python lib it uses has similar limitations. One could try creating a test room and posting a custom event with a content like { "foo": [[[[[[[[[[[[<500 more pairs of brackets>]]]]]]]]]]]] }.

[jplatte]

serde_json has a feature flag called unbounded_depth that can be used to disable this limitation, but at least for homeservers that would open a super simple DOS attack vector.

[ShadowJonathan]

Maybe we can provide the same feature flag as well? And then add it to any crate that uses serde, it'll be off by default, though for any homeserver or application that needs to enable it, it's there.

[lieuwex]

ref: serde-rs/json#613

Noteworthy is the reference to https://source.chromium.org/gn/gn/+/master:src/base/json/json_reader.cc;l=18?q=kStackMaxDepth, which would at least be applicable for the CS API.