SQL-APIConsumer icon indicating copy to clipboard operation
SQL-APIConsumer copied to clipboard
verified publisher icon geral2

Security Fix: JSON Deserialization Protection & Code Improvements

Open yuseok-kim-edushare opened this issue 9 months ago • 3 comments

this pr also can close #65 and close #64 + close #61 by db9279bb4974a84f87e454e666bc5b3166e60831

Overview

This PR implements critical security fixes and code improvements to enhance both security and performance of the SQL-APIConsumer component.

Key Changes

  • target framework update: .net 4.0 is too old version that include several security risks, so we need to fix target frameworks
    • Not deprecated, and With Compatibility, .NET 4.8 can support win 2012 that run sql server from 2008r2 to 2017
    • also, not deprecated and least windows server is 2016 that native include .net 4.8
  • Security Fix: Added JSON deserialization depth limit (MaxDepth=128) to mitigate CVE-2024-21907 vulnerability
  • Performance: Implemented static HttpClient instance to reduce socket exhaustion and resource usage
  • Modern Async: Added async implementation for HTTP methods to improve scalability
  • Code Quality: Refactored exception handling across multiple files
  • Build Process: Updated project configuration for better deployment control
  • Version Update: Incremented version from 2.3.6.1 to 2.3.7.0

Security Impact

The JSON deserialization depth limit prevents potential Denial of Service attacks through maliciously crafted deep-nested JSON payloads that could cause:

  • High CPU/memory consumption
  • Thread exhaustion
  • Stack overflow exceptions

Cleanup

  • Removed binary artifacts from repository
  • Standardized build configuration
  • Updated .gitignore to prevent binary file commits

yuseok-kim-edushare avatar Mar 18 '25 06:03 yuseok-kim-edushare

Hello @yuseok-kim-edushare,

Thanks a ton for this PR! 🙌 Really appreciate the time and effort you put into this — everything looks solid. Great job on the build improvements! I'll go ahead and review/test it shortly. Thanks again for contributing!

geral2 avatar Mar 18 '25 20:03 geral2

I Fix sqlproj I manually added sql file and some other artifacts, then visual studio try to compile sql query file then i set build type None

yuseok-kim-edushare avatar Mar 21 '25 00:03 yuseok-kim-edushare

I Add A script to re-install CLR cause of IL-Repack using, build result dll file's referencing list changed, then SQL server Request drop and create

then i create SQL Script for re-install this

yuseok-kim-edushare avatar Mar 26 '25 05:03 yuseok-kim-edushare