maximum depth of expansion (dot notation) / avoid infinite recursion

rsinger86 / drf-flex-fields

Dynamically set fields and expand nested resources in Django REST Framework serializers.

MIT License

740 stars 61 forks source link

maximum depth of expansion (dot notation) / avoid infinite recursion #112

Closed SorianoMarmol closed 1 year ago

SorianoMarmol commented 1 year ago

Reusing nested serializers, it is possible to perform infinite recursion of expansions. For example, object1.child1.object1.child1.object1.child1...

This can cause severe performance problems and potential attacks.

It is possible to control it in other ways, but it would be nice if the library provided some method to avoid this potential security problem. For example, maximum level of expansion setting and/or control the recursion.

Thank you for the package and your effort.

rsinger86 commented 1 year ago

great point, I'll pin this.

andruten commented 1 year ago

@rsinger86 We've implemented a solution for this. I can publish a PR.