Skip to content

Security Fix: JSON Deserialization Protection & Code Improvements #66

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 24 commits into
base: master
Choose a base branch
from
Open

Security Fix: JSON Deserialization Protection & Code Improvements #66

wants to merge 24 commits into from

Conversation

yuseok-kim-edushare
Copy link

@yuseok-kim-edushare yuseok-kim-edushare commented Mar 18, 2025
edited
Loading

this pr also can close #65 and close #64 + close #61 by db9279b

Overview

This PR implements critical security fixes and code improvements to enhance both security and performance of the SQL-APIConsumer component.

Key Changes

  • target framework update: .net 4.0 is too old version that include several security risks, so we need to fix target frameworks
    • Not deprecated, and With Compatibility, .NET 4.8 can support win 2012 that run sql server from 2008r2 to 2017
    • also, not deprecated and least windows server is 2016 that native include .net 4.8
  • Security Fix: Added JSON deserialization depth limit (MaxDepth=128) to mitigate CVE-2024-21907 vulnerability
  • Performance: Implemented static HttpClient instance to reduce socket exhaustion and resource usage
  • Modern Async: Added async implementation for HTTP methods to improve scalability
  • Code Quality: Refactored exception handling across multiple files
  • Build Process: Updated project configuration for better deployment control
  • Version Update: Incremented version from 2.3.6.1 to 2.3.7.0

Security Impact

The JSON deserialization depth limit prevents potential Denial of Service attacks through maliciously crafted deep-nested JSON payloads that could cause:

  • High CPU/memory consumption
  • Thread exhaustion
  • Stack overflow exceptions

Cleanup

  • Removed binary artifacts from repository
  • Standardized build configuration
  • Updated .gitignore to prevent binary file commits

@yuseok-kim-edushare
Fix Security Issue, Depth limit required to keep secure
7a0c5d0
@yuseok-kim-edushare
Update Version Number 2.3.6.1 -> 2.3.6.2
6d11d78
@yuseok-kim-edushare
🙈 add /bin and /obj to gitignore
180549a
@yuseok-kim-edushare
🔒 add public_key file to simplifying signing
db9279b
@yuseok-kim-edushare
♻️ Refactor: HttpWebRequest -> HttpClient and so on
9a5d0ab 
To modernize about web request codes
@yuseok-kim-edushare
🛂 Update SSL config
9122804 
Tls and Ssl3 is not safe at now
@yuseok-kim-edushare
♻️ Refactor: CreateSignatur() with using clause to memory managing
79fc209
@yuseok-kim-edushare
🛂 Fix GetBytes with encoding methods with null checking
3181faf
@yuseok-kim-edushare
⚡ Improve performance with cached JseonSerializerSetting
48f26e3 
by static JsonSerializerSetting
@yuseok-kim-edushare
♻️ Refactor: improve validateParams() checking logic
e97e85d 
with .NET native api, add validation check proper input value
@yuseok-kim-edushare
✏️ Add missing content of 48f26e3
05728e1
@yuseok-kim-edushare
♻️ Update Http Response code and exception handling
d6ba9e7
@yuseok-kim-edushare
🔧 Update build target to .net 48
597ce21 
.net 4 is too old version
and we can consider if SQL2016 supported windows server 2012 or above
win 2012 can run net 48
@yuseok-kim-edushare
🔧 Fix build configuration
9b02b51 
just after build, we only need DDL sql and dll file from this project
@yuseok-kim-edushare
🚨 Fix compile error
dad2119
@yuseok-kim-edushare
Improve Build option with IL-Repack
6d8ab98
@yuseok-kim-edushare
Update .gitignore
f9a0870
@yuseok-kim-edushare
Update .gitignore
1fc29c6
@yuseok-kim-edushare
Use IL-Repack to create single integrated DLL on build
1278153 
Now we only register 1 dll file with single query
@yuseok-kim-edushare
♻️ Update project and solution to include etc. files folder to see wi…
8a1e54d 
…th visual studio solution explorer
@yuseok-kim-edushare
correct version number suggestion
b07ba3b
@yuseok-kim-edushare
Update README.md
62cb4ab
@geral2 geral2 self-requested a review March 18, 2025 20:41
@geral2 geral2 self-assigned this Mar 18, 2025
@geral2
Copy link
Owner

geral2 commented Mar 18, 2025

Hello @yuseok-kim-edushare,

Thanks a ton for this PR! 🙌 Really appreciate the time and effort you put into this — everything looks solid. Great job on the build improvements! I'll go ahead and review/test it shortly. Thanks again for contributing!

@yuseok-kim-edushare
Copy link
Author

I Fix sqlproj
I manually added sql file and some other artifacts, then visual studio try to compile sql query file
then i set build type None

@yuseok-kim-edushare
✨ Add Re_install script
e6fd71b 
Cause of IL-repack using
CLR assembly reference list changed
then need to drop and create is needed
@yuseok-kim-edushare
Copy link
Author

I Add A script to re-install CLR
cause of IL-Repack using, build result dll file's referencing list changed, then SQL server Request drop and create

then i create SQL Script for re-install this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@geral2 geral2 Awaiting requested review from geral2

At least 1 approving review is required to merge this pull request.

Assignees

@geral2 geral2

Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@yuseok-kim-edushare @geral2