antocuni
commented
5 years ago yes, it might be a good idea. In general, there are many ways in which a malicious message could affect an implementation. Here are some examples, from the official capnproto docs: https://capnproto.org/encoding.html#security-considerations
Admittedly, capnpy was not implemented with malicious messages in mind. I would not be opposed to add support for it, assuming it doesn't impact performance. It is unlikely I'll do it by myself though, so PR are welcome :)
capnpy.load(f, payload_type): load a message from a file-like objectShould have a maximum message size parameter or internal check to avoid hanging in case a response message is unreasonably large.