You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat: security hardening from audit (XXE, Newtonsoft type handling, redaction) (#2181)
Security audit found no Critical/High issues; these are defense-in-depth
and behavior-change hardenings, safe by default.
- xml: force DtdProcessing.Prohibit and clear XmlResolver on every reader
settings access to block XXE and entity-expansion attacks, with an
obsolete AllowDtdProcessing opt-out for fully trusted sources
- newtonsoft: force TypeNameHandling.None when no explicit settings are
supplied so an unsafe global JsonConvert.DefaultSettings cannot drive
polymorphic deserialization of response bodies; explicit caller settings
are still honored
- generator: escape U+0085/U+2028/U+2029 in emitted string literals (these
break a regular literal, CS1010) and fix the literal length calculation
- regex: add a 1s match timeout to the net7+ GeneratedRegex for parity
- exceptions: add RefitSettings.ExceptionRedactor to scrub credentials and
bodies before an ApiException propagates, and MaxExceptionContentLength to
bound the error-body read; document the disclosure surface and make
Content/RequestContent settable for redaction
- docs: add a V13 breaking-changes section to the README
- claude.md: document promoting PublicAPI unshipped to shipped before a PR
Tests and coverage:
- cover XXE rejection and the DTD opt-out, TypeNameHandling neutralize/honor,
generator escaping, content cap, redaction, async error-body reads, and the
problem+json validation path; remove dead negative-number handling from the
generator's integer writer
- perf: cache Roslyn metadata references across generator tests. The harness
rebuilt the full framework reference closure (~169 assemblies) per test, so
parallel execution multiplied to ~31 GiB across the four TFMs and OOM-killed
the CI runner. Materializing each reference once into a process-wide cache
drops the net9.0 peak RSS from 8.3 GiB to 1.4 GiB and the four-TFM peak from
30.8 GiB to 4.6 GiB
Copy file name to clipboardExpand all lines: CLAUDE.md
+11Lines changed: 11 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -159,3 +159,14 @@ dotnet run --project "tests/Refit.GeneratorTests/Refit.GeneratorTests.csproj" -f
159
159
- Keep changes scoped. Do not rewrite unrelated files while touching generator/runtime paths.
160
160
- Prefer focused tests that compile or execute the real generated output when changing source generator behavior.
161
161
162
+
---
163
+
164
+
## Public API tracking
165
+
166
+
The runtime projects use the public-API analyzer, so every public/protected member is recorded under `src/Refit/PublicAPI/<tfm>/`.
167
+
168
+
- New public surface goes in `PublicAPI.Unshipped.txt` for each affected TFM while you iterate.
169
+
-**Before opening a PR, move those new entries from `PublicAPI.Unshipped.txt` into the matching `PublicAPI.Shipped.txt` (and reset each unshipped file to just `#nullable enable`).** This repo ships almost immediately after merge, so unshipped API is promoted as part of the change rather than left pending.
170
+
- For behavior changes or public API additions, also add a breaking-changes note to the README.
171
+
- Shipped entries are assumed to be carried forward; you do not need to call them out separately in the PR.
0 commit comments