Guard JSON tree renderer against deep and oversized payloads#2
Guard JSON tree renderer against deep and oversized payloads#2
Conversation
Deploying agent-render with
|
| Latest commit: |
d3c9729
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://c4462930.agent-render.pages.dev |
| Branch Preview URL: | https://codex-fix-client-side-dos-in.agent-render.pages.dev |
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Code Review SummaryStatus: No Issues Found | Recommendation: Merge OverviewThis PR adds security improvements to protect against DoS attacks from large JSON payloads by implementing tree depth and node count limits.
Security AssessmentThe implementation correctly:
Code Quality
Files Reviewed (3 files)
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d3c9729a16
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| const entries = Array.isArray(current.value) ? current.value : Object.values(current.value); | ||
| for (const entry of entries) { | ||
| stack.push({ value: entry, depth: current.depth + 1 }); |
There was a problem hiding this comment.
The size guard still does unbounded work for very wide payloads because exceedsTreeLimits pushes every child from entries before checking visitedNodes again, so an object/array with hundreds of thousands of top-level items will allocate a huge stack and can still freeze the UI even when maxNodes is small. This undermines the protection added in this commit for oversized JSON, since the expensive expansion happens before the function can return true.
Useful? React with 👍 / 👎.
1 participant
Motivation
Description
src/lib/json/tree-limits.tswhich exportsMAX_TREE_DEPTH,MAX_TREE_NODES, andexceedsTreeLimits, using an iterative traversal to detect excessive depth or node counts without recursion.src/components/renderers/json-renderer.tsxto parse the artifact, checkexceedsTreeLimits, and when the payload is too large show a clear message and fall back to the Raw/code view instead of rendering the full tree.tests/json-tree-limits.test.tsthat verify small payloads are allowed and that overly deep or overly large payloads are blocked.Testing
npm testand all tests passed, including the newtests/json-tree-limits.test.ts.npm run lintand the linter completed successfully.npm run typecheckand TypeScript checks completed successfully.Codex Task