Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Various fixes for DoS vulnerabilities. #1207

Merged
merged 2 commits into from
Jun 26, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 31 additions & 5 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,13 @@ tag versions. The Bond compiler (`gbc`) and
different versioning scheme, following the Haskell community's
[package versioning policy](https://wiki.haskell.org/Package_versioning_policy).

## Unreleased ##
## 11.0.1: 2024-06-26 ##

* IDL core version: TBD
* C++ version: TBD (major bump needed)
* C# NuGet version: TBD (major bump needed)
* `gbc` & compiler library: TBD (major bump needed)
* IDL core version: 3.0
* C++ version: 11.0.1
* C# NuGet version: 11.0.1
* Java version: 11.0.1
* `gbc` & compiler library: 0.13.0.0

### `gbc` and Bond compiler library ###
* **Breaking change**: Codegen for Bond-over-gRPC has been removed: the
Expand All @@ -34,9 +35,22 @@ different versioning scheme, following the Haskell community's
See [issue \#1131, Bond-over-gRPC will be deprecated February
2022](https://github.com/microsoft/bond/issues/1131), for the full
announcement.
* By default, deserialization will no longer process very deeply nested
structures. Instead, an `bond::CoreException` will be thrown in order to
protect against stack overflows. The depth limit may be changed by calling
the function `bond::SetDeserializeMaxDepth(uint32_t)`.
* Fixed handling of large containers of invalid types that could cause
excessive CPU use when deserializing some payloads.

### C# ###

* **Breaking change**: Update of Newtonsoft.Json library to version 13.3.0.
([Issue \#1156](https://github.com/microsoft/bond/issues/1156))

This update fixes depth check in input JSON string (by default: 64).
Depth check is necessary to prevent stack overflow issue with long payloads.
* **Breaking change**: The minimum supported version of .NET Framework is
4.6.2. Support for .NET Framework 4.5 has been dropped.
* **Breaking change**: All Bond-over-gRPC code has been removed. This is
everything under the `Bond.Grpc` namespace and the Bond.Grpc.CSharp NuGet
package. Service definitions can still appear in .bond files, but no C#
Expand All @@ -48,6 +62,18 @@ different versioning scheme, following the Haskell community's
[System.Collections.Immutable](https://learn.microsoft.com/dotnet/api/system.collections.immutable)
collections. (Pull request
[\#1161](https://github.com/microsoft/bond/pull/1161))
* By default, deserialization will no longer process very deeply nested
structures. Instead, an `InvalidOperationException` will be thrown in
order to protect against stack overflows. The depth limit may be changed
by setting the property `Bond.DeserializerControls.Active.MaxDepth`.

### Java ###

* By default, deserialization will no longer process very deeply nested
structures. Instead, a `org.bondlib.InvalidBondDataException` exception
will be thrown in order to protect against stack overflows. The depth
limit may be changed by calling the method
`org.bondlib.bond.DeserializerControls.setMaxDepth`.

## 10.0: 2022-03-07 ##

Expand Down
29 changes: 21 additions & 8 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,6 @@ For details, see the User's Manuals:
* [C#](https://microsoft.github.io/bond/manual/bond_cs.html)
* [Java](https://microsoft.github.io/bond/manual/bond_java.html)
* [Python](https://microsoft.github.io/bond/manual/bond_py.html)
* [Bond-over-gRPC](https://microsoft.github.io/bond/manual/bond_over_grpc.html)
([deprecated: will be removed in May
2022](https://github.com/microsoft/bond/issues/1131))
* [`gbc`, the Bond compiler/codegen tool](https://microsoft.github.io/bond/manual/compiler.html)
* See also
[the compiler library](https://hackage.haskell.org/package/bond) that
Expand Down Expand Up @@ -181,10 +178,10 @@ cmake .. \

Install the following tools:

- Visual Studio 2015 or 2017
- VS2017 is required to build C# Bond from source
- .NET Core SDK ([https://www.microsoft.com/net/core](https://www.microsoft.com/net/core#windows))
- Alternative to VS2017 for building C# Bond from source
- Visual Studio 2017 or newer. The following components are required:
- .NET Framework 4.6.2 targeting pack
- C++ development tools. A working C++ compiler is needed to build gbc.
- .NET SDK ([https://dotnet.microsoft.com/en-us/download](https://dotnet.microsoft.com/en-us/download))
- CMake ([http://www.cmake.org/download/](http://www.cmake.org/download/))
- Haskell Stack ([https://docs.haskellstack.org/en/stable/install_and_upgrade/#windows](https://docs.haskellstack.org/en/stable/install_and_upgrade/#windows))

Expand All @@ -199,7 +196,7 @@ Now you are ready to build the C# version of Bond. Open the solution file
`cs\cs.sln` in Visual Studio and build as usual. The C# unit tests can
also be run from within the solution.

To build using the .NET Core SDK:
To build using the .NET SDK:

```bash
dotnet restore cs\cs.sln
Expand All @@ -225,6 +222,22 @@ pre-built libraries are only needed for unit tests, and Python. If Boost or
Python libraries are not found on the system, then some tests and examples
will not be built.

You can also get an appropriate version of boost using the same approach as employed
by CI. The appveyor.yml file includes an invocation of:
```
tools\ci-scripts\windows\Install-Boost.ps1 `
-Version $env:BOND_BOOST `
-VcToolSetVer $vcToolSetVer `
-Components $boostComponents
```
which can also be invoked manually in order to download the relevant version, e.g.
```
Install-Boost.ps1 -Version 1.61.0 -VcToolSetVer 14.0
```
This will return the location to which the files were downloaded. It will be a temporary
location, so you should subsequently copy the directories to a more permanent location and
then configure your environment variables to point to those locations.

To generate a solution to build the Bond Core C++ and Python with Visual
Studio 2015 run the following commands from the root `bond` directory:

Expand Down
12 changes: 5 additions & 7 deletions compiler/bond.cabal
Original file line number Diff line number Diff line change
@@ -1,13 +1,11 @@
cabal-version: 1.12

-- This file has been generated from package.yaml by hpack version 0.34.4.
-- This file has been generated from package.yaml by hpack version 0.35.0.
--
-- see: https://github.com/sol/hpack
--
-- hash: b3e1e8755f812c54ff2252111e7b261404f305c68fbcdde72babcd762faf6acb

name: bond
version: 0.12.1.0
version: 0.13.0.0
synopsis: Bond schema compiler and code generator
description: Bond is a cross-platform framework for handling schematized data. It supports cross-language de/serialization and powerful generic mechanisms for efficiently manipulating data. . This package contains a library for parsing the Bond schema definition language and performing template-based code generation. The library includes built-in templates for generating standard Bond C++ and C# code, as well as utilities for writing custom codegen templates. . The package also contains a command-line compiler/codegen tool, named gbc, which is primarily used to generate code for C++ and C# programs using Bond.
category: Language, Compiler, Code Generation
Expand Down Expand Up @@ -71,13 +69,13 @@ library
, shakespeare
, text
, unordered-containers
default-language: Haskell2010
if os(windows) && arch(i386)
ld-options: -Wl,--dynamicbase -Wl,--nxcompat -Wl,--large-address-aware
if os(windows) && arch(x86_64)
ld-options: -Wl,--dynamicbase -Wl,--nxcompat -Wl,--high-entropy-va
if flag(warningsAsErrors)
ghc-options: -Wall -Werror
default-language: Haskell2010

executable gbc
main-is: Main.hs
Expand All @@ -104,6 +102,7 @@ executable gbc
, shakespeare
, text
, unordered-containers
default-language: Haskell2010
if os(windows) && arch(i386)
ld-options: -Wl,--dynamicbase -Wl,--nxcompat -Wl,--large-address-aware
if os(windows) && arch(x86_64)
Expand All @@ -112,7 +111,6 @@ executable gbc
ghc-options: -threaded -rtsopts -with-rtsopts=-N -Wall -Werror
else
ghc-options: -threaded -rtsopts -with-rtsopts=-N
default-language: Haskell2010

test-suite gbc-tests
type: exitcode-stdio-1.0
Expand Down Expand Up @@ -153,6 +151,7 @@ test-suite gbc-tests
, tasty-quickcheck
, text
, unordered-containers
default-language: Haskell2010
if os(windows) && arch(i386)
ld-options: -Wl,--dynamicbase -Wl,--nxcompat -Wl,--large-address-aware
if os(windows) && arch(x86_64)
Expand All @@ -161,4 +160,3 @@ test-suite gbc-tests
ghc-options: -threaded -rtsopts -with-rtsopts=-N -Wall -Werror
else
ghc-options: -threaded -rtsopts -with-rtsopts=-N
default-language: Haskell2010
2 changes: 1 addition & 1 deletion compiler/package.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: bond
version: 0.12.1.0
version: 0.13.0.0
github: "microsoft/bond"
license: MIT
author: Adam Sapek <[email protected]>
Expand Down
2 changes: 1 addition & 1 deletion compiler/src/Language/Bond/Codegen/Cpp/Types_h.hs
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ types_h export_attribute userHeaders enumHeader allocator alloc_ctors_enabled ty
#{newlineBeginSep 0 includeHeader userHeaders}
#include <bond/core/bond_version.h>

#if BOND_VERSION < 0x0902
#if BOND_VERSION < 0x0b00
#error This file was generated by a newer version of the Bond compiler and is incompatible with your version of the Bond library.
#endif

Expand Down
4 changes: 2 additions & 2 deletions compiler/stack.yaml.lock
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,13 @@ packages:
- completed:
hackage: quickcheck-arbitrary-template-0.2.1.0@sha256:01f9deb34f8af3e6b879ee984b0be8803eb9c31e389490b5ddb8ca5fde32957c,2026
pantry-tree:
size: 625
sha256: a79d0b9f39f1096774a34f502c209dc70c85bc43f164e2925cb6b7a3f7ad82c8
size: 625
original:
hackage: quickcheck-arbitrary-template-0.2.1.0
snapshots:
- completed:
sha256: 16f24be248b42c9e16d59db84378836b1e7c239448a041cae46d32daffa45a8b
size: 523884
url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/14/4.yaml
sha256: 16f24be248b42c9e16d59db84378836b1e7c239448a041cae46d32daffa45a8b
original: lts-14.4
4 changes: 2 additions & 2 deletions compiler/tests/generated/alias_key_types.h
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,11 @@

#include <bond/core/bond_version.h>

#if BOND_VERSION < 0x0902
#if BOND_VERSION < 0x0b00
#error This file was generated by a newer version of the Bond compiler and is incompatible with your version of the Bond library.
#endif

#if BOND_MIN_CODEGEN_VERSION > 0x0c10
#if BOND_MIN_CODEGEN_VERSION > 0x0d00
#error This file was generated by an older version of the Bond compiler and is incompatible with your version of the Bond library.
#endif

Expand Down
4 changes: 2 additions & 2 deletions compiler/tests/generated/alias_with_allocator_types.h
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,11 @@

#include <bond/core/bond_version.h>

#if BOND_VERSION < 0x0902
#if BOND_VERSION < 0x0b00
#error This file was generated by a newer version of the Bond compiler and is incompatible with your version of the Bond library.
#endif

#if BOND_MIN_CODEGEN_VERSION > 0x0c10
#if BOND_MIN_CODEGEN_VERSION > 0x0d00
#error This file was generated by an older version of the Bond compiler and is incompatible with your version of the Bond library.
#endif

Expand Down
6 changes: 3 additions & 3 deletions compiler/tests/generated/aliases_types.cs
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ namespace tests
using System.Collections.Generic;

[global::Bond.Schema]
[System.CodeDom.Compiler.GeneratedCode("gbc", "0.12.1.0")]
[System.CodeDom.Compiler.GeneratedCode("gbc", "0.13.0.0")]
public partial class Foo<T>
{
[global::Bond.Id(0), global::Bond.Type(typeof(List<List<global::Bond.Tag.classT>>))]
Expand All @@ -34,14 +34,14 @@ protected Foo(string fullName, string name)
}
}

[System.CodeDom.Compiler.GeneratedCode("gbc", "0.12.1.0")]
[System.CodeDom.Compiler.GeneratedCode("gbc", "0.13.0.0")]
public enum EnumToWrap
{
anEnumValue,
}

[global::Bond.Schema]
[System.CodeDom.Compiler.GeneratedCode("gbc", "0.12.1.0")]
[System.CodeDom.Compiler.GeneratedCode("gbc", "0.13.0.0")]
public partial class WrappingAnEnum
{
[global::Bond.Id(0)]
Expand Down
4 changes: 2 additions & 2 deletions compiler/tests/generated/aliases_types.h
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,11 @@

#include <bond/core/bond_version.h>

#if BOND_VERSION < 0x0902
#if BOND_VERSION < 0x0b00
#error This file was generated by a newer version of the Bond compiler and is incompatible with your version of the Bond library.
#endif

#if BOND_MIN_CODEGEN_VERSION > 0x0c10
#if BOND_MIN_CODEGEN_VERSION > 0x0d00
#error This file was generated by an older version of the Bond compiler and is incompatible with your version of the Bond library.
#endif

Expand Down
4 changes: 2 additions & 2 deletions compiler/tests/generated/alloc_ctors/alias_key_types.h
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,11 @@

#include <bond/core/bond_version.h>

#if BOND_VERSION < 0x0902
#if BOND_VERSION < 0x0b00
#error This file was generated by a newer version of the Bond compiler and is incompatible with your version of the Bond library.
#endif

#if BOND_MIN_CODEGEN_VERSION > 0x0c10
#if BOND_MIN_CODEGEN_VERSION > 0x0d00
#error This file was generated by an older version of the Bond compiler and is incompatible with your version of the Bond library.
#endif

Expand Down
4 changes: 2 additions & 2 deletions compiler/tests/generated/alloc_ctors/aliases_types.h
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,11 @@

#include <bond/core/bond_version.h>

#if BOND_VERSION < 0x0902
#if BOND_VERSION < 0x0b00
#error This file was generated by a newer version of the Bond compiler and is incompatible with your version of the Bond library.
#endif

#if BOND_MIN_CODEGEN_VERSION > 0x0c10
#if BOND_MIN_CODEGEN_VERSION > 0x0d00
#error This file was generated by an older version of the Bond compiler and is incompatible with your version of the Bond library.
#endif

Expand Down
4 changes: 2 additions & 2 deletions compiler/tests/generated/alloc_ctors/attributes_types.h
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,11 @@

#include <bond/core/bond_version.h>

#if BOND_VERSION < 0x0902
#if BOND_VERSION < 0x0b00
#error This file was generated by a newer version of the Bond compiler and is incompatible with your version of the Bond library.
#endif

#if BOND_MIN_CODEGEN_VERSION > 0x0c10
#if BOND_MIN_CODEGEN_VERSION > 0x0d00
#error This file was generated by an older version of the Bond compiler and is incompatible with your version of the Bond library.
#endif

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,11 @@

#include <bond/core/bond_version.h>

#if BOND_VERSION < 0x0902
#if BOND_VERSION < 0x0b00
#error This file was generated by a newer version of the Bond compiler and is incompatible with your version of the Bond library.
#endif

#if BOND_MIN_CODEGEN_VERSION > 0x0c10
#if BOND_MIN_CODEGEN_VERSION > 0x0d00
#error This file was generated by an older version of the Bond compiler and is incompatible with your version of the Bond library.
#endif

Expand Down
4 changes: 2 additions & 2 deletions compiler/tests/generated/alloc_ctors/basic_types_types.h
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,11 @@

#include <bond/core/bond_version.h>

#if BOND_VERSION < 0x0902
#if BOND_VERSION < 0x0b00
#error This file was generated by a newer version of the Bond compiler and is incompatible with your version of the Bond library.
#endif

#if BOND_MIN_CODEGEN_VERSION > 0x0c10
#if BOND_MIN_CODEGEN_VERSION > 0x0d00
#error This file was generated by an older version of the Bond compiler and is incompatible with your version of the Bond library.
#endif

Expand Down
4 changes: 2 additions & 2 deletions compiler/tests/generated/alloc_ctors/bond_meta_types.h
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,11 @@

#include <bond/core/bond_version.h>

#if BOND_VERSION < 0x0902
#if BOND_VERSION < 0x0b00
#error This file was generated by a newer version of the Bond compiler and is incompatible with your version of the Bond library.
#endif

#if BOND_MIN_CODEGEN_VERSION > 0x0c10
#if BOND_MIN_CODEGEN_VERSION > 0x0d00
#error This file was generated by an older version of the Bond compiler and is incompatible with your version of the Bond library.
#endif

Expand Down
4 changes: 2 additions & 2 deletions compiler/tests/generated/alloc_ctors/complex_types_types.h
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,11 @@

#include <bond/core/bond_version.h>

#if BOND_VERSION < 0x0902
#if BOND_VERSION < 0x0b00
#error This file was generated by a newer version of the Bond compiler and is incompatible with your version of the Bond library.
#endif

#if BOND_MIN_CODEGEN_VERSION > 0x0c10
#if BOND_MIN_CODEGEN_VERSION > 0x0d00
#error This file was generated by an older version of the Bond compiler and is incompatible with your version of the Bond library.
#endif

Expand Down
4 changes: 2 additions & 2 deletions compiler/tests/generated/alloc_ctors/defaults_types.h
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,11 @@

#include <bond/core/bond_version.h>

#if BOND_VERSION < 0x0902
#if BOND_VERSION < 0x0b00
#error This file was generated by a newer version of the Bond compiler and is incompatible with your version of the Bond library.
#endif

#if BOND_MIN_CODEGEN_VERSION > 0x0c10
#if BOND_MIN_CODEGEN_VERSION > 0x0d00
#error This file was generated by an older version of the Bond compiler and is incompatible with your version of the Bond library.
#endif

Expand Down
Loading
Loading