Limit eager ExtensionObject decode recursion by kevinherron · Pull Request #1745 · eclipse-milo/milo

kevinherron · 2026-05-17T14:46:45Z

Prevent a denial-of-service vector where dynamic eager decoding recursively decodes nested ExtensionObject bodies without honoring the configured recursion budget, causing stack or heap exhaustion.
Keep existing behavior of eagerly decoding known/expected dynamic types where safe, but ensure a shared recursion budget prevents unbounded nested decodes.

Add a thread-local recursion guard EAGER_DECODE_DEPTH and helper eagerlyDecodeExtensionObject(...) to FieldUtil so eager decoding of scalar, array, matrix, and Variant-contained ExtensionObjects checks EncodingLimits.getMaxRecursionDepth() and increments/decrements a local depth counter.
Replace direct calls to xo.decode(...) in maybeEagerlyDecodeValue(...) with calls to eagerlyDecodeExtensionObject(...) so nested eager decodes share the same per-thread depth budget.
Add a regression test eagerExtensionObjectDecodeHonorsMaxRecursionDepth and helper nestedStructWithStructureScalarFields(...) in DynamicTypeSerializationTest that constructs nested ExtensionObjects and verifies eager decoding halts at the configured depth and leaves deeper values opaque.

Limit eager ExtensionObject decode recursion

c8c2f02

kevinherron added this to the 1.1.4 milestone May 17, 2026

kevinherron merged commit f8b6034 into eclipse-milo:main May 17, 2026
3 checks passed

kevinherron added bug stack and removed stack labels May 17, 2026

Provide feedback