From f5902bf7d8397db27ce7c1e06a7c9f243373da9e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 27 May 2026 22:06:08 +0000 Subject: [PATCH 1/2] Initial plan From 1941ab69a9d87a27bbbc55b2a884b10bd1a1774a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 27 May 2026 22:29:10 +0000 Subject: [PATCH 2/2] Add regression tests for JsonSerializer.Deserialize MaxDepth enforcement Adds tests verifying that JsonSerializer.Deserialize correctly throws JsonException when MaxDepth is exceeded for deeply nested arrays and objects, as reported in the issue. - DomTests.cs: DeserializeToNode_RespectsMaxDepth_Arrays/_Objects (parallel to existing SerializeToNode_RespectsMaxDepth) - JsonNodeTests.cs: Deserialize_JsonNode_RespectsMaxDepth_DeeplyNestedArrays Co-authored-by: steveisok <471438+steveisok@users.noreply.github.com> --- .../JsonNode/JsonNodeTests.cs | 21 +++++++++++ .../Serialization/DomTests.cs | 37 +++++++++++++++++++ 2 files changed, 58 insertions(+) diff --git a/src/libraries/System.Text.Json/tests/System.Text.Json.Tests/JsonNode/JsonNodeTests.cs b/src/libraries/System.Text.Json/tests/System.Text.Json.Tests/JsonNode/JsonNodeTests.cs index 6573f7e9760198..c17579baa2893a 100644 --- a/src/libraries/System.Text.Json/tests/System.Text.Json.Tests/JsonNode/JsonNodeTests.cs +++ b/src/libraries/System.Text.Json/tests/System.Text.Json.Tests/JsonNode/JsonNodeTests.cs @@ -3,6 +3,7 @@ using System.Collections; using System.Collections.Generic; +using System.Linq; using Xunit; namespace System.Text.Json.Nodes.Tests @@ -339,5 +340,25 @@ public static void JsonValue_AsValue() JsonValue value = node.AsValue(); Assert.Equal(42, value.GetValue()); } + + [Theory] + [InlineData(5)] + [InlineData(32)] + public static void Deserialize_JsonNode_RespectsMaxDepth_DeeplyNestedArrays(int maxDepth) + { + var options = new JsonSerializerOptions { MaxDepth = maxDepth }; + + // Exactly at max depth: should succeed. + string withinDepth = string.Concat(Enumerable.Repeat("[", maxDepth)) + + string.Concat(Enumerable.Repeat("]", maxDepth)); + JsonNode? node = JsonSerializer.Deserialize(withinDepth, options); + Assert.NotNull(node); + Assert.IsType(node); + + // One level beyond max depth: must throw JsonException. + string beyondDepth = string.Concat(Enumerable.Repeat("[", maxDepth + 1)) + + string.Concat(Enumerable.Repeat("]", maxDepth + 1)); + Assert.Throws(() => JsonSerializer.Deserialize(beyondDepth, options)); + } } } diff --git a/src/libraries/System.Text.Json/tests/System.Text.Json.Tests/Serialization/DomTests.cs b/src/libraries/System.Text.Json/tests/System.Text.Json.Tests/Serialization/DomTests.cs index bf11f1cbf8b875..23b8df45710a5b 100644 --- a/src/libraries/System.Text.Json/tests/System.Text.Json.Tests/Serialization/DomTests.cs +++ b/src/libraries/System.Text.Json/tests/System.Text.Json.Tests/Serialization/DomTests.cs @@ -210,6 +210,43 @@ public static void SerializeToNode_RespectsMaxDepth(int maxDepth) Assert.Throws(() => JsonSerializer.SerializeToNode(value, options)); } + [Theory] + [InlineData(5)] + [InlineData(32)] + [InlineData(70)] // default max depth is 64 + public static void DeserializeToNode_RespectsMaxDepth_Arrays(int maxDepth) + { + var options = new JsonSerializerOptions { MaxDepth = maxDepth }; + + // Exactly at max depth should succeed. + string withinDepth = string.Concat(Enumerable.Repeat("[", maxDepth)) + string.Concat(Enumerable.Repeat("]", maxDepth)); + JsonNode? node = JsonSerializer.Deserialize(withinDepth, options); + Assert.NotNull(node); + + // One level beyond max depth should throw. + string beyondDepth = string.Concat(Enumerable.Repeat("[", maxDepth + 1)) + string.Concat(Enumerable.Repeat("]", maxDepth + 1)); + Assert.Throws(() => JsonSerializer.Deserialize(beyondDepth, options)); + Assert.Throws(() => JsonSerializer.Deserialize(beyondDepth, options)); + } + + [Theory] + [InlineData(5)] + [InlineData(32)] + [InlineData(70)] // default max depth is 64 + public static void DeserializeToNode_RespectsMaxDepth_Objects(int maxDepth) + { + var options = new JsonSerializerOptions { MaxDepth = maxDepth }; + + // Build nested object JSON: {"x":{"x":...{"x":1}...}} + string withinDepth = string.Concat(Enumerable.Repeat("{\"x\":", maxDepth)) + "1" + string.Concat(Enumerable.Repeat("}", maxDepth)); + JsonNode? node = JsonSerializer.Deserialize(withinDepth, options); + Assert.NotNull(node); + + string beyondDepth = string.Concat(Enumerable.Repeat("{\"x\":", maxDepth + 1)) + "1" + string.Concat(Enumerable.Repeat("}", maxDepth + 1)); + Assert.Throws(() => JsonSerializer.Deserialize(beyondDepth, options)); + Assert.Throws(() => JsonSerializer.Deserialize(beyondDepth, options)); + } + public class RecursiveClass { public RecursiveClass? Next { get; set; }