Merge pull request #1207 from microsoft/jandupej/dos-fixes

Various fixes for DoS vulnerabilities.

Author: jandupej

CHANGELOG.md

@@ -11,12 +11,13 @@ tag versions. The Bond compiler (`gbc`) and
 different versioning scheme, following the Haskell community's
 [package versioning policy](https://wiki.haskell.org/Package_versioning_policy).
 
-## Unreleased ##
+## 11.0.1: 2024-06-26 ##
 
-* IDL core version: TBD
-* C++ version: TBD (major bump needed)
-* C# NuGet version: TBD (major bump needed)
-* `gbc` & compiler library: TBD (major bump needed)
+* IDL core version: 3.0
+* C++ version: 11.0.1
+* C# NuGet version: 11.0.1
+* Java version: 11.0.1
+* `gbc` & compiler library: 0.13.0.0
 
 ### `gbc` and Bond compiler library ###
 * **Breaking change**: Codegen for Bond-over-gRPC has been removed: the
@@ -34,9 +35,22 @@ different versioning scheme, following the Haskell community's
   See [issue \#1131, Bond-over-gRPC will be deprecated February
   2022](https://github.com/microsoft/bond/issues/1131), for the full
   announcement.
+* By default, deserialization will no longer process very deeply nested
+  structures. Instead, an `bond::CoreException` will be thrown in order to
+  protect against stack overflows. The depth limit may be changed by calling
+  the function `bond::SetDeserializeMaxDepth(uint32_t)`.
+* Fixed handling of large containers of invalid types that could cause
+  excessive CPU use when deserializing some payloads.
 
 ### C# ###
 
+* **Breaking change**: Update of Newtonsoft.Json library to version 13.3.0.
+([Issue \#1156](https://github.com/microsoft/bond/issues/1156))
+
+  This update fixes depth check in input JSON string (by default: 64).
+  Depth check is necessary to prevent stack overflow issue with long payloads.
+* **Breaking change**: The minimum supported version of .NET Framework is
+  4.6.2. Support for .NET Framework 4.5 has been dropped.
 * **Breaking change**: All Bond-over-gRPC code has been removed. This is
   everything under the `Bond.Grpc` namespace and the Bond.Grpc.CSharp NuGet
   package. Service definitions can still appear in .bond files, but no C#
@@ -48,6 +62,18 @@ different versioning scheme, following the Haskell community's
   [System.Collections.Immutable](https://learn.microsoft.com/dotnet/api/system.collections.immutable)
   collections. (Pull request
   [\#1161](https://github.com/microsoft/bond/pull/1161))
+* By default, deserialization will no longer process very deeply nested
+  structures. Instead, an `InvalidOperationException` will be thrown in
+  order to protect against stack overflows. The depth limit may be changed
+  by setting the property `Bond.DeserializerControls.Active.MaxDepth`.
+
+### Java ###
+
+* By default, deserialization will no longer process very deeply nested
+  structures. Instead, a `org.bondlib.InvalidBondDataException` exception
+  will be thrown in order to protect against stack overflows. The depth
+  limit may be changed by calling the method
+  `org.bondlib.bond.DeserializerControls.setMaxDepth`.
 
 ## 10.0: 2022-03-07 ##
 

README.md

@@ -19,9 +19,6 @@ For details, see the User's Manuals:
 * [C#](https://microsoft.github.io/bond/manual/bond_cs.html)
 * [Java](https://microsoft.github.io/bond/manual/bond_java.html)
 * [Python](https://microsoft.github.io/bond/manual/bond_py.html)
-* [Bond-over-gRPC](https://microsoft.github.io/bond/manual/bond_over_grpc.html)
-  ([deprecated: will be removed in May
-  2022](https://github.com/microsoft/bond/issues/1131))
 * [`gbc`, the Bond compiler/codegen tool](https://microsoft.github.io/bond/manual/compiler.html)
     * See also
       [the compiler library](https://hackage.haskell.org/package/bond) that
@@ -181,10 +178,10 @@ cmake .. \
 
 Install the following tools:
 
-- Visual Studio 2015 or 2017
-    - VS2017 is required to build C# Bond from source
-- .NET Core SDK ([https://www.microsoft.com/net/core](https://www.microsoft.com/net/core#windows))
-    - Alternative to VS2017 for building C# Bond from source
+- Visual Studio 2017 or newer. The following components are required:
+  - .NET Framework 4.6.2 targeting pack
+  - C++ development tools. A working C++ compiler is needed to build gbc.
+- .NET SDK ([https://dotnet.microsoft.com/en-us/download](https://dotnet.microsoft.com/en-us/download))
 - CMake ([http://www.cmake.org/download/](http://www.cmake.org/download/))
 - Haskell Stack ([https://docs.haskellstack.org/en/stable/install_and_upgrade/#windows](https://docs.haskellstack.org/en/stable/install_and_upgrade/#windows))
 
@@ -199,7 +196,7 @@ Now you are ready to build the C# version of Bond. Open the solution file
 `cs\cs.sln` in Visual Studio and build as usual. The C# unit tests can
 also be run from within the solution.
 
-To build using the .NET Core SDK:
+To build using the .NET SDK:
 
 ```bash
 dotnet restore cs\cs.sln
@@ -225,6 +222,22 @@ pre-built libraries are only needed for unit tests, and Python. If Boost or
 Python libraries are not found on the system, then some tests and examples
 will not be built.
 
+You can also get an appropriate version of boost using the same approach as employed
+by CI.  The appveyor.yml file includes an invocation of:
+```
+tools\ci-scripts\windows\Install-Boost.ps1 `
+                        -Version $env:BOND_BOOST `
+                        -VcToolSetVer $vcToolSetVer `
+                        -Components $boostComponents
+```
+which can also be invoked manually in order to download the relevant version, e.g.
+```
+Install-Boost.ps1 -Version 1.61.0 -VcToolSetVer 14.0
+```
+This will return the location to which the files were downloaded.  It will be a temporary
+location, so you should subsequently copy the directories to a more permanent location and
+then configure your environment variables to point to those locations.
+
 To generate a solution to build the Bond Core C++ and Python with Visual
 Studio 2015 run the following commands from the root `bond` directory:
 

compiler/bond.cabal

@@ -1,13 +1,11 @@
 cabal-version: 1.12
 
--- This file has been generated from package.yaml by hpack version 0.34.4.
+-- This file has been generated from package.yaml by hpack version 0.35.0.
 --
 -- see: https://github.com/sol/hpack
---
--- hash: b3e1e8755f812c54ff2252111e7b261404f305c68fbcdde72babcd762faf6acb
 
 name:           bond
-version:        0.12.1.0
+version:        0.13.0.0
 synopsis:       Bond schema compiler and code generator
 description:    Bond is a cross-platform framework for handling schematized data. It supports cross-language de/serialization and powerful generic mechanisms for efficiently manipulating data. . This package contains a library for parsing the Bond schema definition language and performing template-based code generation. The library includes built-in templates for generating standard Bond C++ and C# code, as well as utilities for writing custom codegen templates. . The package also contains a command-line compiler/codegen tool, named gbc, which is primarily used to generate code for C++ and C# programs using Bond.
 category:       Language, Compiler, Code Generation
@@ -71,13 +69,13 @@ library
     , shakespeare
     , text
     , unordered-containers
+  default-language: Haskell2010
   if os(windows) && arch(i386)
     ld-options: -Wl,--dynamicbase -Wl,--nxcompat -Wl,--large-address-aware
   if os(windows) && arch(x86_64)
     ld-options: -Wl,--dynamicbase -Wl,--nxcompat -Wl,--high-entropy-va
   if flag(warningsAsErrors)
     ghc-options: -Wall -Werror
-  default-language: Haskell2010
 
 executable gbc
   main-is: Main.hs
@@ -104,6 +102,7 @@ executable gbc
     , shakespeare
     , text
     , unordered-containers
+  default-language: Haskell2010
   if os(windows) && arch(i386)
     ld-options: -Wl,--dynamicbase -Wl,--nxcompat -Wl,--large-address-aware
   if os(windows) && arch(x86_64)
@@ -112,7 +111,6 @@ executable gbc
     ghc-options: -threaded -rtsopts -with-rtsopts=-N -Wall -Werror
   else
     ghc-options: -threaded -rtsopts -with-rtsopts=-N
-  default-language: Haskell2010
 
 test-suite gbc-tests
   type: exitcode-stdio-1.0
@@ -153,6 +151,7 @@ test-suite gbc-tests
     , tasty-quickcheck
     , text
     , unordered-containers
+  default-language: Haskell2010
   if os(windows) && arch(i386)
     ld-options: -Wl,--dynamicbase -Wl,--nxcompat -Wl,--large-address-aware
   if os(windows) && arch(x86_64)
@@ -161,4 +160,3 @@ test-suite gbc-tests
     ghc-options: -threaded -rtsopts -with-rtsopts=-N -Wall -Werror
   else
     ghc-options: -threaded -rtsopts -with-rtsopts=-N
-  default-language: Haskell2010

compiler/package.yaml

@@ -1,5 +1,5 @@
 name:                bond
-version:             0.12.1.0
+version:             0.13.0.0
 github:              "microsoft/bond"
 license:             MIT
 author:              Adam Sapek <[email protected]>

compiler/src/Language/Bond/Codegen/Cpp/Types_h.hs

@@ -39,7 +39,7 @@ types_h export_attribute userHeaders enumHeader allocator alloc_ctors_enabled ty
 #{newlineBeginSep 0 includeHeader userHeaders}
 #include <bond/core/bond_version.h>
 
-#if BOND_VERSION < 0x0902
+#if BOND_VERSION < 0x0b00
 #error This file was generated by a newer version of the Bond compiler and is incompatible with your version of the Bond library.
 #endif
 

compiler/stack.yaml.lock

@@ -7,13 +7,13 @@ packages:
 - completed:
     hackage: quickcheck-arbitrary-template-0.2.1.0@sha256:01f9deb34f8af3e6b879ee984b0be8803eb9c31e389490b5ddb8ca5fde32957c,2026
     pantry-tree:
-      size: 625
       sha256: a79d0b9f39f1096774a34f502c209dc70c85bc43f164e2925cb6b7a3f7ad82c8
+      size: 625
   original:
     hackage: quickcheck-arbitrary-template-0.2.1.0
 snapshots:
 - completed:
+    sha256: 16f24be248b42c9e16d59db84378836b1e7c239448a041cae46d32daffa45a8b
     size: 523884
     url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/14/4.yaml
-    sha256: 16f24be248b42c9e16d59db84378836b1e7c239448a041cae46d32daffa45a8b
   original: lts-14.4

compiler/tests/generated/alias_key_types.h

@@ -3,11 +3,11 @@
 
 #include <bond/core/bond_version.h>
 
-#if BOND_VERSION < 0x0902
+#if BOND_VERSION < 0x0b00
 #error This file was generated by a newer version of the Bond compiler and is incompatible with your version of the Bond library.
 #endif
 
-#if BOND_MIN_CODEGEN_VERSION > 0x0c10
+#if BOND_MIN_CODEGEN_VERSION > 0x0d00
 #error This file was generated by an older version of the Bond compiler and is incompatible with your version of the Bond library.
 #endif
 

compiler/tests/generated/alias_with_allocator_types.h

@@ -3,11 +3,11 @@
 
 #include <bond/core/bond_version.h>
 
-#if BOND_VERSION < 0x0902
+#if BOND_VERSION < 0x0b00
 #error This file was generated by a newer version of the Bond compiler and is incompatible with your version of the Bond library.
 #endif
 
-#if BOND_MIN_CODEGEN_VERSION > 0x0c10
+#if BOND_MIN_CODEGEN_VERSION > 0x0d00
 #error This file was generated by an older version of the Bond compiler and is incompatible with your version of the Bond library.
 #endif
 

compiler/tests/generated/aliases_types.cs

@@ -18,7 +18,7 @@ namespace tests
     using System.Collections.Generic;
 
     [global::Bond.Schema]
-    [System.CodeDom.Compiler.GeneratedCode("gbc", "0.12.1.0")]
+    [System.CodeDom.Compiler.GeneratedCode("gbc", "0.13.0.0")]
     public partial class Foo<T>
     {
         [global::Bond.Id(0), global::Bond.Type(typeof(List<List<global::Bond.Tag.classT>>))]
@@ -34,14 +34,14 @@ protected Foo(string fullName, string name)
         }
     }
 
-    [System.CodeDom.Compiler.GeneratedCode("gbc", "0.12.1.0")]
+    [System.CodeDom.Compiler.GeneratedCode("gbc", "0.13.0.0")]
     public enum EnumToWrap
     {
         anEnumValue,
     }
 
     [global::Bond.Schema]
-    [System.CodeDom.Compiler.GeneratedCode("gbc", "0.12.1.0")]
+    [System.CodeDom.Compiler.GeneratedCode("gbc", "0.13.0.0")]
     public partial class WrappingAnEnum
     {
         [global::Bond.Id(0)]

compiler/tests/generated/aliases_types.h

@@ -3,11 +3,11 @@
 
 #include <bond/core/bond_version.h>
 
-#if BOND_VERSION < 0x0902
+#if BOND_VERSION < 0x0b00
 #error This file was generated by a newer version of the Bond compiler and is incompatible with your version of the Bond library.
 #endif
 
-#if BOND_MIN_CODEGEN_VERSION > 0x0c10
+#if BOND_MIN_CODEGEN_VERSION > 0x0d00
 #error This file was generated by an older version of the Bond compiler and is incompatible with your version of the Bond library.
 #endif