Add max_depth parameter to prevent DoS from deeply nested data

Author: mahdirahimi1999

rest_framework/fields.py

@@ -1692,22 +1692,14 @@ def _propagate_depth_to_child(self):
             if hasattr(self.child, '_propagate_depth_to_child'):
                 self.child._propagate_depth_to_child()
 
-    def _check_data_depth(self, data, current=0):
-        if self._root_max_depth is not None:
-            if isinstance(data, (list, tuple)):
-                for item in data:
-                    if isinstance(item, (list, tuple, dict)):
-                        next_depth = current + 1
-                        if next_depth > self._root_max_depth:
-                            self.fail('max_depth', max_depth=self._root_max_depth)
-                        self._check_data_depth(item, next_depth)
-            elif isinstance(data, dict):
-                for value in data.values():
-                    if isinstance(value, (list, tuple, dict)):
-                        next_depth = current + 1
-                        if next_depth > self._root_max_depth:
-                            self.fail('max_depth', max_depth=self._root_max_depth)
-                        self._check_data_depth(value, next_depth)
+    def _check_data_depth(self, data, current_level):
+        items = data.values() if isinstance(data, dict) else data
+        for item in items:
+            if isinstance(item, (list, tuple, dict)):
+                next_level = current_level + 1
+                if next_level > self._root_max_depth:
+                    self.fail('max_depth', max_depth=self._root_max_depth)
+                self._check_data_depth(item, next_level)
 
     def get_value(self, dictionary):
         if self.field_name not in dictionary:
@@ -1734,9 +1726,12 @@ def to_internal_value(self, data):
             self.fail('not_a_list', input_type=type(data).__name__)
         if not self.allow_empty and len(data) == 0:
             self.fail('empty')
-        if self._root_max_depth is not None and self._current_depth > self._root_max_depth:
-            self.fail('max_depth', max_depth=self._root_max_depth)
-        self._check_data_depth(data, self._current_depth)
+        if self._root_max_depth is not None:
+            start_level = self._current_depth if self._current_depth > 0 else 1
+            if start_level > self._root_max_depth:
+                self.fail('max_depth', max_depth=self._root_max_depth)
+            if self.max_depth is not None:
+                self._check_data_depth(data, start_level)
         return self.run_child_validation(data)
 
     def to_representation(self, data):
@@ -1789,7 +1784,7 @@ def __init__(self, **kwargs):
 
     def bind(self, field_name, parent):
         super().bind(field_name, parent)
-        if hasattr(parent, '_root_max_depth') and parent._root_max_depth is not None:
+        if self.max_depth is None and hasattr(parent, '_root_max_depth') and parent._root_max_depth is not None:
             self._root_max_depth = parent._root_max_depth
             self._current_depth = parent._current_depth + 1
         self._propagate_depth_to_child()
@@ -1801,22 +1796,14 @@ def _propagate_depth_to_child(self):
             if hasattr(self.child, '_propagate_depth_to_child'):
                 self.child._propagate_depth_to_child()
 
-    def _check_data_depth(self, data, current=0):
-        if self._root_max_depth is not None:
-            if isinstance(data, dict):
-                for value in data.values():
-                    if isinstance(value, (list, tuple, dict)):
-                        next_depth = current + 1
-                        if next_depth > self._root_max_depth:
-                            self.fail('max_depth', max_depth=self._root_max_depth)
-                        self._check_data_depth(value, next_depth)
-            elif isinstance(data, (list, tuple)):
-                for item in data:
-                    if isinstance(item, (list, tuple, dict)):
-                        next_depth = current + 1
-                        if next_depth > self._root_max_depth:
-                            self.fail('max_depth', max_depth=self._root_max_depth)
-                        self._check_data_depth(item, next_depth)
+    def _check_data_depth(self, data, current_level):
+        items = data.values() if isinstance(data, dict) else data
+        for item in items:
+            if isinstance(item, (list, tuple, dict)):
+                next_level = current_level + 1
+                if next_level > self._root_max_depth:
+                    self.fail('max_depth', max_depth=self._root_max_depth)
+                self._check_data_depth(item, next_level)
 
     def get_value(self, dictionary):
         # We override the default field access in order to support
@@ -1835,9 +1822,12 @@ def to_internal_value(self, data):
             self.fail('not_a_dict', input_type=type(data).__name__)
         if not self.allow_empty and len(data) == 0:
             self.fail('empty')
-        if self._root_max_depth is not None and self._current_depth > self._root_max_depth:
-            self.fail('max_depth', max_depth=self._root_max_depth)
-        self._check_data_depth(data, self._current_depth)
+        if self._root_max_depth is not None:
+            start_level = self._current_depth if self._current_depth > 0 else 1
+            if start_level > self._root_max_depth:
+                self.fail('max_depth', max_depth=self._root_max_depth)
+            if self.max_depth is not None:
+                self._check_data_depth(data, start_level)
         return self.run_child_validation(data)
 
     def to_representation(self, value):

rest_framework/serializers.py

@@ -76,9 +76,9 @@
     'read_only', 'write_only', 'required', 'default', 'initial', 'source',
     'label', 'help_text', 'style', 'error_messages', 'allow_empty',
     'instance', 'data', 'partial', 'context', 'allow_null',
-    'max_length', 'min_length'
+    'max_length', 'min_length', 'max_depth'
 )
-LIST_SERIALIZER_KWARGS_REMOVE = ('allow_empty', 'min_length', 'max_length')
+LIST_SERIALIZER_KWARGS_REMOVE = ('allow_empty', 'min_length', 'max_length', 'max_depth')
 
 ALL_FIELDS = '__all__'
 
@@ -111,20 +111,25 @@ class BaseSerializer(Field):
     .data - Available.
     """
 
+    default_error_messages = {
+        'max_depth': _('Nesting depth exceeds maximum allowed depth of {max_depth}.')
+    }
+
     def __init__(self, instance=None, data=empty, **kwargs):
         self.instance = instance
         if data is not empty:
             self.initial_data = data
         self.partial = kwargs.pop('partial', False)
         self._context = kwargs.pop('context', {})
         kwargs.pop('many', None)
+        self.max_depth = kwargs.pop('max_depth', None)
         super().__init__(**kwargs)
         self._current_depth = 0
-        self._root_max_depth = None
+        self._root_max_depth = self.max_depth
 
     def bind(self, field_name, parent):
         super().bind(field_name, parent)
-        if hasattr(parent, '_root_max_depth') and parent._root_max_depth is not None:
+        if self.max_depth is None and hasattr(parent, '_root_max_depth') and parent._root_max_depth is not None:
             self._root_max_depth = parent._root_max_depth
             self._current_depth = parent._current_depth + 1
 
@@ -137,6 +142,32 @@ def _propagate_depth_to_child(self):
                     if hasattr(field, '_propagate_depth_to_child'):
                         field._propagate_depth_to_child()
 
+    def _check_data_depth(self, data, current_level):
+        if isinstance(data, dict):
+            for value in data.values():
+                if isinstance(value, (list, tuple, dict)):
+                    next_level = current_level + 1
+                    if next_level > self._root_max_depth:
+                        message = self.error_messages['max_depth'].format(
+                            max_depth=self._root_max_depth
+                        )
+                        raise ValidationError({
+                            api_settings.NON_FIELD_ERRORS_KEY: [message]
+                        }, code='max_depth')
+                    self._check_data_depth(value, next_level)
+        elif isinstance(data, (list, tuple)):
+            for item in data:
+                if isinstance(item, (list, tuple, dict)):
+                    next_level = current_level + 1
+                    if next_level > self._root_max_depth:
+                        message = self.error_messages['max_depth'].format(
+                            max_depth=self._root_max_depth
+                        )
+                        raise ValidationError({
+                            api_settings.NON_FIELD_ERRORS_KEY: [message]
+                        }, code='max_depth')
+                    self._check_data_depth(item, next_level)
+
     def __new__(cls, *args, **kwargs):
         # We override this method in order to automatically create
         # `ListSerializer` classes instead when `many=True` is set.
@@ -390,7 +421,8 @@ def fields(self):
         fields = BindingDict(self)
         for key, value in self.get_fields().items():
             fields[key] = value
-        self._propagate_depth_to_child()
+        if self._root_max_depth is not None:
+            self._propagate_depth_to_child()
         return fields
 
     @property
@@ -507,6 +539,9 @@ def to_internal_value(self, data):
             raise ValidationError({
                 api_settings.NON_FIELD_ERRORS_KEY: [message]
             }, code='invalid')
+        if self._root_max_depth is not None and self.max_depth is not None:
+            start_level = self._current_depth
+            self._check_data_depth(data, start_level)
 
         ret = {}
         errors = {}
@@ -672,6 +707,32 @@ def run_child_validation(self, data):
         """
         return self.child.run_validation(data)
 
+    def _check_data_depth(self, data, current_level):
+        if isinstance(data, (list, tuple)):
+            for item in data:
+                if isinstance(item, (list, tuple, dict)):
+                    next_level = current_level + 1
+                    if next_level > self._root_max_depth:
+                        message = self.error_messages['max_depth'].format(
+                            max_depth=self._root_max_depth
+                        )
+                        raise ValidationError({
+                            api_settings.NON_FIELD_ERRORS_KEY: [message]
+                        }, code='max_depth')
+                    self._check_data_depth(item, next_level)
+        elif isinstance(data, dict):
+            for value in data.values():
+                if isinstance(value, (list, tuple, dict)):
+                    next_level = current_level + 1
+                    if next_level > self._root_max_depth:
+                        message = self.error_messages['max_depth'].format(
+                            max_depth=self._root_max_depth
+                        )
+                        raise ValidationError({
+                            api_settings.NON_FIELD_ERRORS_KEY: [message]
+                        }, code='max_depth')
+                    self._check_data_depth(value, next_level)
+
     def to_internal_value(self, data):
         """
         List of dicts of native values <- List of dicts of primitive datatypes.
@@ -687,6 +748,10 @@ def to_internal_value(self, data):
                 api_settings.NON_FIELD_ERRORS_KEY: [message]
             }, code='not_a_list')
 
+        if self._root_max_depth is not None and self.max_depth is not None:
+            start_level = self._current_depth
+            self._check_data_depth(data, start_level)
+
         if not self.allow_empty and len(data) == 0:
             message = self.error_messages['empty']
             raise ValidationError({