Skip to content

Security Fix: JSON Deserialization Protection & Code Improvements#66

Open
yuseok-kim-edushare wants to merge 30 commits intogeral2:masterfrom
yuseok-kim-edushare:dev/yuseok
Open

Security Fix: JSON Deserialization Protection & Code Improvements#66
yuseok-kim-edushare wants to merge 30 commits intogeral2:masterfrom
yuseok-kim-edushare:dev/yuseok

Conversation

@yuseok-kim-edushare
Copy link

@yuseok-kim-edushare yuseok-kim-edushare commented Mar 18, 2025
edited
Loading

this pr also can close #65 and close #64 + close #61 by db9279b

Overview

This PR implements critical security fixes and code improvements to enhance both security and performance of the SQL-APIConsumer component.

Key Changes

  • target framework update: .net 4.0 is too old version that include several security risks, so we need to fix target frameworks
    • Not deprecated, and With Compatibility, .NET 4.8 can support win 2012 that run sql server from 2008r2 to 2017
    • also, not deprecated and least windows server is 2016 that native include .net 4.8
  • Security Fix: Added JSON deserialization depth limit (MaxDepth=128) to mitigate CVE-2024-21907 vulnerability
  • Performance: Implemented static HttpClient instance to reduce socket exhaustion and resource usage
  • Modern Async: Added async implementation for HTTP methods to improve scalability
  • Code Quality: Refactored exception handling across multiple files
  • Build Process: Updated project configuration for better deployment control
  • Version Update: Incremented version from 2.3.6.1 to 2.3.7.0

Security Impact

The JSON deserialization depth limit prevents potential Denial of Service attacks through maliciously crafted deep-nested JSON payloads that could cause:

  • High CPU/memory consumption
  • Thread exhaustion
  • Stack overflow exceptions

Cleanup

  • Removed binary artifacts from repository
  • Standardized build configuration
  • Updated .gitignore to prevent binary file commits

@yuseok-kim-edushare
Fix Security Issue, Depth limit required to keep secure
7a0c5d0
@yuseok-kim-edushare
Update Version Number 2.3.6.1 -> 2.3.6.2
6d11d78
@yuseok-kim-edushare
🙈 add /bin and /obj to gitignore
180549a
@yuseok-kim-edushare
🔒 add public_key file to simplifying signing
db9279b
@yuseok-kim-edushare
♻️ Refactor: HttpWebRequest -> HttpClient and so on
9a5d0ab 
To modernize about web request codes
@yuseok-kim-edushare
🛂 Update SSL config
9122804 
Tls and Ssl3 is not safe at now
@yuseok-kim-edushare
♻️ Refactor: CreateSignatur() with using clause to memory managing
79fc209
@yuseok-kim-edushare
🛂 Fix GetBytes with encoding methods with null checking
3181faf
@yuseok-kim-edushare
⚡ Improve performance with cached JseonSerializerSetting
48f26e3 
by static JsonSerializerSetting
@yuseok-kim-edushare
♻️ Refactor: improve validateParams() checking logic
e97e85d 
with .NET native api, add validation check proper input value
@yuseok-kim-edushare
✏️ Add missing content of 48f26e3
05728e1
@yuseok-kim-edushare
♻️ Update Http Response code and exception handling
d6ba9e7
@yuseok-kim-edushare
🔧 Update build target to .net 48
597ce21 
.net 4 is too old version
and we can consider if SQL2016 supported windows server 2012 or above
win 2012 can run net 48
@yuseok-kim-edushare
🔧 Fix build configuration
9b02b51 
just after build, we only need DDL sql and dll file from this project
@yuseok-kim-edushare
🚨 Fix compile error
dad2119
@yuseok-kim-edushare
Improve Build option with IL-Repack
6d8ab98
@yuseok-kim-edushare
Update .gitignore
f9a0870
@yuseok-kim-edushare
Update .gitignore
1fc29c6
@yuseok-kim-edushare
Use IL-Repack to create single integrated DLL on build
1278153 
Now we only register 1 dll file with single query
@yuseok-kim-edushare
♻️ Update project and solution to include etc. files folder to see wi…
8a1e54d 
…th visual studio solution explorer
@yuseok-kim-edushare
correct version number suggestion
b07ba3b
@yuseok-kim-edushare
Update README.md
62cb4ab
@geral2 geral2 self-requested a review March 18, 2025 20:41
@geral2 geral2 self-assigned this Mar 18, 2025
@geral2
Copy link
Owner

geral2 commented Mar 18, 2025

Hello @yuseok-kim-edushare,

Thanks a ton for this PR! 🙌 Really appreciate the time and effort you put into this — everything looks solid. Great job on the build improvements! I'll go ahead and review/test it shortly. Thanks again for contributing!

@yuseok-kim-edushare
Copy link
Author

yuseok-kim-edushare commented Mar 21, 2025

I Fix sqlproj
I manually added sql file and some other artifacts, then visual studio try to compile sql query file
then i set build type None

@yuseok-kim-edushare
✨ Add Re_install script
e6fd71b 
Cause of IL-repack using
CLR assembly reference list changed
then need to drop and create is needed
@yuseok-kim-edushare
Copy link
Author

yuseok-kim-edushare commented Mar 26, 2025

I Add A script to re-install CLR
cause of IL-Repack using, build result dll file's referencing list changed, then SQL server Request drop and create

then i create SQL Script for re-install this

@yuseok-kim-edushare
🐛 Fix: Re_install_assembly.sql
8b76797 
Add some dependency dll removing for cleanner option
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@geral2 geral2 Awaiting requested review from geral2

At least 1 approving review is required to merge this pull request.

Assignees

@geral2 geral2

Labels

None yet

Projects

None yet

Milestone

No milestone

2 participants

@yuseok-kim-edushare @geral2