nspcc-dev/neo-go
1
0
Fork 0
mirror of https://github.com/nspcc-dev/neo-go.git synced 2026-03-01 04:28:51 +00:00
Code Issues 182 Projects Packages Wiki Activity

Find a replacement for JSON library #1219

New issue
Open
opened 2025-12-28 17:15:40 +00:00 by sami · 2 comments
sami commented 2025-12-28 17:15:40 +00:00
Owner
Copy link

Originally created by @AnnaShaleva on GitHub (Nov 23, 2023).

Is your feature request related to a problem? Please describe.

Currently it's possible to perform DOS to RPC server using RPC requests with high depth. NeoC# doesn't have such problem since https://github.com/neo-project/neo/pull/2912 and https://github.com/neo-project/neo-modules/pull/827. However, for us it's not that easy because neither standard JSON nor ordered JSON supports nested JSON depth restriction. But this limit is restricted by default by 10000, see https://github.com/golang/go/issues/31789 and golang/go@84afaa9e94.

Describe the solution you'd like

We need to find some other JSON library that allows to restrict maximum allowed JSON depth. Ref. https://github.com/nspcc-dev/neo-go/pull/3221#discussion_r1403335833.

Originally created by @AnnaShaleva on GitHub (Nov 23, 2023). ## Is your feature request related to a problem? Please describe. Currently it's possible to perform DOS to RPC server using RPC requests with high depth. NeoC# doesn't have such problem since https://github.com/neo-project/neo/pull/2912 and https://github.com/neo-project/neo-modules/pull/827. However, for us it's not that easy because neither standard JSON nor ordered JSON supports nested JSON depth restriction. But this limit is restricted by default by 10000, see https://github.com/golang/go/issues/31789 and https://github.com/golang/go/commit/84afaa9e9491d76ea43d7125b336030a0a2a902d. ## Describe the solution you'd like We need to find some other JSON library that allows to restrict maximum allowed JSON depth. Ref. https://github.com/nspcc-dev/neo-go/pull/3221#discussion_r1403335833.
sami commented 2025-12-28 17:15:40 +00:00
Author
Owner
Copy link

@roman-khimov commented on GitHub (Nov 23, 2023):

The other way to handle it is just to try what amount of badness can we fit into 5M and how bad is it for the node. Maybe it's not that bad. But 5M is not a small number either, a lot of braces of various kinds can be put into this volume.

@roman-khimov commented on GitHub (Nov 23, 2023): The other way to handle it is just to try what amount of badness can we fit into 5M and how bad is it for the node. Maybe it's not _that_ bad. But 5M is not a small number either, a lot of braces of various kinds can be put into this volume.
sami commented 2025-12-28 17:15:40 +00:00
Author
Owner
Copy link

@roman-khimov commented on GitHub (Aug 13, 2025):

https://go.dev/doc/go1.25#json_v2 should solve most problems.

@roman-khimov commented on GitHub (Aug 13, 2025): https://go.dev/doc/go1.25#json_v2 should solve most problems.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
modernize
dynamic-opcode-pricing
prohibit-concurrent-runs
bls12-eth-aliases
support-nep-25
load-large-sc
extended-ntr-logs
rpc-cntr
bn254-curve-support
stateroot-block-version-1
extend-logs
sess-exp-time
revert-bolt-upd
extended-logs
v0.109.0-patched
fix-echidna-states
magic-numbers
fix-ret-overlapping
add-vm-bench
drop-some-reflection
wss-height
useless-branch
gnark-upd-v0.10.0
increase-test-timeout
notary
subs-notary-test
skip-check
improve-subs-compat-test
api_subscribe
workshop-example
notary-attacks
changelog-0.102.0
conflicts-test
test-subs
sh-runner
nns-upd-breaking
nns-upd-3
nns-upd-2
compiler-inline-debugger
jsonpath-dfs
btree-memstore
master-2.x
sale
bls
v0.117.0
v0.116.0
v0.115.0
v0.114.0
v0.113.0
v0.112.0
v0.111.0
v0.110.0
v0.109.1
v0.109.0
v0.108.1
v0.108.0
v0.107.2
v0.107.1
v0.107.0
v0.106.3
v0.106.2
v0.106.1
v0.106.0
v0.105.1
v0.105.0
v0.104.0
v0.103.1
v0.103.0
v0.102.0
v0.101.4
v0.101.3
v0.101.2
v0.101.1
v0.101.0
v0.100.1
v0.100.0
v0.99.7
v0.99.6
v0.99.5
v0.99.4
v0.99.3
v0.99.2
v0.99.1
v0.99.0
v0.98.5
v0.98.4
v0.98.3
v0.98.2
v0.98.1
v0.98.0
v0.97.3
v0.97.2
v0.78.5-pre
v0.78.4
v0.97.1
v0.97.0
v0.96.1
v0.96.0
v0.95.4
v0.95.3
v0.95.2
v0.95.1
v0.95.0
v0.94.1
v0.94.0
v0.78.3
v0.93.0
v0.92.0
v0.78.2
v0.78.1
v0.78.0
v0.91.0
v0.77.0
v0.76.2
v0.76.1
v0.90.0
v0.76.0
v0.75.0
v0.74.0
v0.73.0
v0.72.2
v0.72.1
v0.72.0
v0.71.0
v0.70.1
v0.70.0
v0.62.0
v0.61.0
v0.60.0
v0.51.0
v0.50.0
0.44.10
0.44.9
0.44.8
0.44.7
0.44.6
0.44.5
0.44.4
0.44.3
0.44.2
0.44.1
0.43.0
0.44.0
0.42.0
0.41.2
0.41.1
0.41.0
0.40.2
0.40.1
0.40.0
0.39.2
0.39.1
0.39.0
0.38.1
0.38.0
0.37.0
0.36.0
0.35.1
0.35.0
0.34.1
0.34.0
0.33.1
0.33.0
0.32.0
0.31.0
0.30.0
0.29.0
0.28.0
0.27.0
0.26.0
0.25.0
0.24.0
0.23.0
0.22.0
0.21.0
0.20.0
0.19.0
0.18.0
0.17.0
0.16.0
0.15.0
0.14.0
0.13.0
0.12.0
0.11.0
0.10.0
0.9.0
0.8.0
0.7.0
0.6.0
0.5.0
0.4.0
0.3.0
0.2.0
0.1.0
Labels
Clear labels   
I1

   
I2

   
I3

   
I4

   
S1

   
S2

   
S3

   
S4

   
U0

   
U1

   
U2

   
U3

   
U3

   
U4

   
blocked

   
bug

   
bug

   
cli

   
compiler

   
config

   
config

   
consensus

   
dependencies

   
discussion

   
documentation

   
enhancement

   
epic

   
feature

   
go

   
good first issue

   
help wanted

   
neotest

   
network

   
oracle

   
performance

   
question

   
rpc

   
security

   
smartcontract

   
task

   
task

   
task

   
test

   
vm

   
wallet

   
windows

   
windows
No labels
I1
I2
I3
I4
S1
S2
S3
S4
U0
U1
U2
U3
U3
U4
blocked
bug
bug
cli
compiler
config
config
consensus
dependencies
discussion
documentation
enhancement
epic
feature
go
good first issue
help wanted
neotest
network
oracle
performance
question
rpc
security
smartcontract
task
task
task
test
vm
wallet
windows
windows
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
nspcc-dev/neo-go#1219
No description provided.