Adding limits to XStream Deserialization

Himanshu Tanwar

unread,

Mar 11, 2025, 4:33:23 AMMar 11

to XStream User

Hello

I have made some updates to XStream to handle certain limits during deserialization. The limits include having checks on the depth of XML, the number of fields in a class and the size of the value of a field.
I wanted to raise a PR with the changes but I am not able to do so due to some permission issue. Can anyone help me out with this.

Jörg Schaible

unread,

Mar 12, 2025, 2:10:19 PMMar 12

to XStream User

Hi,

XStream is no different to any other GIT repo at GitHub. Please follow the official instructions: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork

And consider the size and context of your PR:

https://artsy.github.io/blog/2021/03/09/strategies-for-small-focused-pull-requests/

One PR with a lot of different features and - even worse - reformatting of existing code, will have problems to get in.

Hope this helps, we're am waiting for your PR(s)..

Cheers,

Jörg

Himanshu Tanwar

unread,

Apr 8, 2025, 8:56:23 AMApr 8

to XStream User

Hi
Thanks for the response, I was able to create a pull request. Can you review it and provide feedback.
https://github.com/x-stream/xstream/pull/371

It is aimed at improving the security of the library and helps the user control the limits to avoid DoS attacks and stack overflow errors.

Reply all

Reply to author

Forward