fix: full depth tracking across Codable container hierarchy

This change includes 2 main changes.

Previously, the `maximumDepth` option was defined but not actually used in
`CodableCBORDecoder`, creating a DoS vulnerability where deeply nested
structures could cause stack overflow.

**Problem:**

1. `CodableCBORDecoder` had a `maximumDepth` property but it wasn't included
   in the options computed property, so it defaulted to `.max`
2. `SingleValueDecodingContainer` called `CBOR.decode()` without passing options
3. `KeyedDecodingContainer` and `UnkeyedDecodingContainer` created `CBORDecoder`
   instances without passing options
4. This meant depth checking was never enforced for Codable decoding

**Fix:**

- Add `maximumDepth` property to `CodableCBORDecoder` (public API)
- Include `maximumDepth` in options computed property
- Update `setOptions()` to set `maximumDepth`
- Pass options to all `CBOR.decode()` calls in `SingleValueDecodingContainer`
- Pass options to `CBORDecoder()` calls in `KeyedDecodingContainer`
- Pass options to `CBORDecoder()` calls in `UnkeyedDecodingContainer`

Changes:
- Added `currentDepth` field to `_CBORDecoder` and all container classes
  (`KeyedContainer`, `UnkeyedContainer`, `SingleValueContainer`)
- Thread `currentDepth` through all container creation and nested decoding
- Check depth before creating keyed/unkeyed containers in `_CBORDecoder`
- Increment depth when creating nested decoders in `decode()` methods
- Pass incremented depth through `superDecoder()` methods

Previously, each `CBOR.decode()` call would reset `currentDepth` to 0, allowing
deeply nested structures to bypass the depth limit. For example, a 10-level
nested array with `maximumDepth=5` would incorrectly succeed. Now depth is
properly tracked across the entire container hierarchy.

Author: hamchapman

Sources/Decoder/CodableCBORDecoder.swift

@@ -3,6 +3,7 @@ import Foundation
 final public class CodableCBORDecoder {
     public var useStringKeys: Bool = false
     public var dateStrategy: DateStrategy = .taggedAsEpochTimestamp
+    public var maximumDepth: Int = .max
 
     struct _Options {
         let useStringKeys: Bool
@@ -29,7 +30,7 @@ final public class CodableCBORDecoder {
     }
 
     var options: _Options {
-        return _Options(useStringKeys: self.useStringKeys, dateStrategy: self.dateStrategy)
+        return _Options(useStringKeys: self.useStringKeys, dateStrategy: self.dateStrategy, maximumDepth: self.maximumDepth)
     }
 
     public init() {}
@@ -66,6 +67,7 @@ final public class CodableCBORDecoder {
     func setOptions(_ newOptions: _Options) {
         self.useStringKeys = newOptions.useStringKeys
         self.dateStrategy = newOptions.dateStrategy
+        self.maximumDepth = newOptions.maximumDepth
     }
 }
 
@@ -78,34 +80,52 @@ final class _CBORDecoder {
     fileprivate var data: ArraySlice<UInt8>
 
     let options: CodableCBORDecoder._Options
+    var currentDepth: Int
 
-    init(data: ArraySlice<UInt8>, options: CodableCBORDecoder._Options) {
+    init(data: ArraySlice<UInt8>, options: CodableCBORDecoder._Options, currentDepth: Int = 0) {
         self.data = data
         self.options = options
+        self.currentDepth = currentDepth
     }
 }
 
 extension _CBORDecoder: Decoder {
     func container<Key: CodingKey>(keyedBy type: Key.Type) throws -> KeyedDecodingContainer<Key> {
+        guard self.currentDepth < self.options.maximumDepth else {
+            let context = DecodingError.Context(
+                codingPath: self.codingPath,
+                debugDescription: "Maximum decoding depth of \(self.options.maximumDepth) exceeded"
+            )
+            throw DecodingError.dataCorrupted(context)
+        }
+
         try ensureMap(self.data.first, keyType: Key.self)
 
-        let container = KeyedContainer<Key>(data: self.data, codingPath: self.codingPath, userInfo: self.userInfo, options: self.options)
+        let container = KeyedContainer<Key>(data: self.data, codingPath: self.codingPath, userInfo: self.userInfo, options: self.options, currentDepth: self.currentDepth)
         self.container = container
 
         return KeyedDecodingContainer(container)
     }
 
     func unkeyedContainer() throws -> UnkeyedDecodingContainer {
+        guard self.currentDepth < self.options.maximumDepth else {
+            let context = DecodingError.Context(
+                codingPath: self.codingPath,
+                debugDescription: "Maximum decoding depth of \(self.options.maximumDepth) exceeded"
+            )
+            throw DecodingError.dataCorrupted(context)
+        }
+
         try ensureArray(self.data.first)
 
-        let container = UnkeyedContainer(data: self.data, codingPath: self.codingPath, userInfo: self.userInfo, options: self.options)
+        let container = UnkeyedContainer(data: self.data, codingPath: self.codingPath, userInfo: self.userInfo, options: self.options, currentDepth: self.currentDepth)
         self.container = container
 
         return container
     }
 
     func singleValueContainer() throws -> SingleValueDecodingContainer {
-        let container = SingleValueContainer(data: self.data, codingPath: self.codingPath, userInfo: self.userInfo, options: self.options)
+        let container = SingleValueContainer(data: self.data, codingPath: self.codingPath, userInfo: self.userInfo, options: self.options, currentDepth: self.currentDepth)
         self.container = container
 
         return container

Sources/Decoder/KeyedDecodingContainer.swift

@@ -14,13 +14,15 @@ extension _CBORDecoder {
         var codingPath: [CodingKey]
         var userInfo: [CodingUserInfoKey: Any]
         let options: CodableCBORDecoder._Options
+        let currentDepth: Int
 
-        init(data: ArraySlice<UInt8>, codingPath: [CodingKey], userInfo: [CodingUserInfoKey : Any], options: CodableCBORDecoder._Options) {
+        init(data: ArraySlice<UInt8>, codingPath: [CodingKey], userInfo: [CodingUserInfoKey : Any], options: CodableCBORDecoder._Options, currentDepth: Int = 0) {
             self.codingPath = codingPath
             self.userInfo = userInfo
             self.data = data
             self.index = self.data.startIndex
             self.options = options
+            self.currentDepth = currentDepth
         }
 
         func checkCanDecodeValue(forKey key: Key) throws {
@@ -41,7 +43,7 @@ extension _CBORDecoder {
 
             var nestedContainers: [AnyCodingKey: CBORDecodingContainer] = [:]
 
-            let unkeyedContainer = UnkeyedContainer(data: self.data.suffix(from: self.index), codingPath: self.codingPath, userInfo: self.userInfo, options: self.options)
+            let unkeyedContainer = UnkeyedContainer(data: self.data.suffix(from: self.index), codingPath: self.codingPath, userInfo: self.userInfo, options: self.options, currentDepth: self.currentDepth)
             unkeyedContainer.count = count * 2
 
             var iterator = unkeyedContainer.nestedContainers.makeIterator()
@@ -94,7 +96,7 @@ extension _CBORDecoder {
                 // each key-value pair in the map.
                 let nextIndex = self.data.startIndex.advanced(by: 1)
                 let remainingData = self.data.suffix(from: nextIndex)
-                count = try? CBORDecoder(input: remainingData.map { $0 }).readPairsUntilBreak().keys.count
+                count = try? CBORDecoder(input: remainingData.map { $0 }, options: self.options.toCBOROptions()).readPairsUntilBreak().keys.count
             default:
                 let context = DecodingError.Context(
                     codingPath: self.codingPath,
@@ -145,9 +147,10 @@ extension _CBORDecoder.KeyedContainer: KeyedDecodingContainerProtocol {
         try checkCanDecodeValue(forKey: key)
 
         let container = try self.nestedContainers()[anyCodingKeyForKey(key)]!
-        let decoder = CodableCBORDecoder()
-        decoder.setOptions(self.options)
-        return try decoder.decode(T.self, from: container.data)
+        let innerDecoder = _CBORDecoder(data: container.data, options: self.options, currentDepth: self.currentDepth + 1)
+        innerDecoder.codingPath = self.codingPath + [key]
+        innerDecoder.userInfo = self.userInfo
+        return try T(from: innerDecoder)
     }
 
     func nestedUnkeyedContainer(forKey key: Key) throws -> UnkeyedDecodingContainer {
@@ -170,17 +173,18 @@ extension _CBORDecoder.KeyedContainer: KeyedDecodingContainerProtocol {
             data: anyCodingKeyedContainer.data,
             codingPath: anyCodingKeyedContainer.codingPath,
             userInfo: anyCodingKeyedContainer.userInfo,
-            options: anyCodingKeyedContainer.options
+            options: anyCodingKeyedContainer.options,
+            currentDepth: anyCodingKeyedContainer.currentDepth
         )
         return KeyedDecodingContainer(container)
     }
 
     func superDecoder() throws -> Decoder {
-        return _CBORDecoder(data: self.data, options: self.options)
+        return _CBORDecoder(data: self.data, options: self.options, currentDepth: self.currentDepth + 1)
     }
 
     func superDecoder(forKey key: Key) throws -> Decoder {
-        let decoder = _CBORDecoder(data: self.data, options: self.options)
+        let decoder = _CBORDecoder(data: self.data, options: self.options, currentDepth: self.currentDepth + 1)
         decoder.codingPath = [key]
 
         return decoder

Sources/Decoder/SingleValueDecodingContainer.swift

@@ -7,13 +7,15 @@ extension _CBORDecoder {
         var data: ArraySlice<UInt8>
         var index: Data.Index
         let options: CodableCBORDecoder._Options
+        let currentDepth: Int
 
-        init(data: ArraySlice<UInt8>, codingPath: [CodingKey], userInfo: [CodingUserInfoKey : Any], options: CodableCBORDecoder._Options) {
+        init(data: ArraySlice<UInt8>, codingPath: [CodingKey], userInfo: [CodingUserInfoKey : Any], options: CodableCBORDecoder._Options, currentDepth: Int = 0) {
             self.codingPath = codingPath
             self.userInfo = userInfo
             self.data = data
             self.index = self.data.startIndex
             self.options = options
+            self.currentDepth = currentDepth
         }
 
         func checkCanDecode<T>(_ type: T.Type, format: UInt8) throws {
@@ -32,7 +34,7 @@ extension _CBORDecoder {
 
 extension _CBORDecoder.SingleValueContainer: SingleValueDecodingContainer {
     func decodeNil() -> Bool {
-        guard let cbor = try? CBOR.decode(self.data.map { $0 }) else {
+        guard let cbor = try? CBOR.decode(self.data.map { $0 }, options: self.options.toCBOROptions()) else {
             return false
         }
         switch cbor {
@@ -42,7 +44,7 @@ extension _CBORDecoder.SingleValueContainer: SingleValueDecodingContainer {
     }
 
     func decode(_ type: Bool.Type) throws -> Bool {
-        guard let cbor = try? CBOR.decode(self.data.map { $0 }) else {
+        guard let cbor = try? CBOR.decode(self.data.map { $0 }, options: self.options.toCBOROptions()) else {
             let context = DecodingError.Context(codingPath: self.codingPath, debugDescription: "Invalid format: \(self.data)")
             throw DecodingError.dataCorrupted(context)
         }
@@ -55,7 +57,7 @@ extension _CBORDecoder.SingleValueContainer: SingleValueDecodingContainer {
     }
 
     func decode(_ type: String.Type) throws -> String {
-        guard let cbor = try? CBOR.decode(self.data.map { $0 }) else {
+        guard let cbor = try? CBOR.decode(self.data.map { $0 }, options: self.options.toCBOROptions()) else {
             let context = DecodingError.Context(codingPath: self.codingPath, debugDescription: "Invalid format: \(self.data)")
             throw DecodingError.dataCorrupted(context)
         }
@@ -68,7 +70,7 @@ extension _CBORDecoder.SingleValueContainer: SingleValueDecodingContainer {
     }
 
     func decode(_ type: Double.Type) throws -> Double {
-        guard let cbor = try? CBOR.decode(self.data.map { $0 }) else {
+        guard let cbor = try? CBOR.decode(self.data.map { $0 }, options: self.options.toCBOROptions()) else {
             let context = DecodingError.Context(codingPath: self.codingPath, debugDescription: "Invalid format: \(self.data)")
             throw DecodingError.dataCorrupted(context)
         }
@@ -83,7 +85,7 @@ extension _CBORDecoder.SingleValueContainer: SingleValueDecodingContainer {
     }
 
     func decode(_ type: Float.Type) throws -> Float {
-        guard let cbor = try? CBOR.decode(self.data.map { $0 }) else {
+        guard let cbor = try? CBOR.decode(self.data.map { $0 }, options: self.options.toCBOROptions()) else {
             let context = DecodingError.Context(codingPath: self.codingPath, debugDescription: "Invalid format: \(self.data)")
             throw DecodingError.dataCorrupted(context)
         }
@@ -97,7 +99,7 @@ extension _CBORDecoder.SingleValueContainer: SingleValueDecodingContainer {
     }
 
     func decode(_ type: Int.Type) throws -> Int {
-        guard let cbor = try? CBOR.decode(self.data.map { $0 }) else {
+        guard let cbor = try? CBOR.decode(self.data.map { $0 }, options: self.options.toCBOROptions()) else {
             let context = DecodingError.Context(codingPath: self.codingPath, debugDescription: "Invalid format: \(self.data)")
             throw DecodingError.dataCorrupted(context)
         }
@@ -111,7 +113,7 @@ extension _CBORDecoder.SingleValueContainer: SingleValueDecodingContainer {
     }
 
     func decode(_ type: Int8.Type) throws -> Int8 {
-        guard let cbor = try? CBOR.decode(self.data.map { $0 }) else {
+        guard let cbor = try? CBOR.decode(self.data.map { $0 }, options: self.options.toCBOROptions()) else {
             let context = DecodingError.Context(codingPath: self.codingPath, debugDescription: "Invalid format: \(self.data)")
             throw DecodingError.dataCorrupted(context)
         }
@@ -125,7 +127,7 @@ extension _CBORDecoder.SingleValueContainer: SingleValueDecodingContainer {
     }
 
     func decode(_ type: Int16.Type) throws -> Int16 {
-        guard let cbor = try? CBOR.decode(self.data.map { $0 }) else {
+        guard let cbor = try? CBOR.decode(self.data.map { $0 }, options: self.options.toCBOROptions()) else {
             let context = DecodingError.Context(codingPath: self.codingPath, debugDescription: "Invalid format: \(self.data)")
             throw DecodingError.dataCorrupted(context)
         }
@@ -139,7 +141,7 @@ extension _CBORDecoder.SingleValueContainer: SingleValueDecodingContainer {
     }
 
     func decode(_ type: Int32.Type) throws -> Int32 {
-        guard let cbor = try? CBOR.decode(self.data.map { $0 }) else {
+        guard let cbor = try? CBOR.decode(self.data.map { $0 }, options: self.options.toCBOROptions()) else {
             let context = DecodingError.Context(codingPath: self.codingPath, debugDescription: "Invalid format: \(self.data)")
             throw DecodingError.dataCorrupted(context)
         }
@@ -153,7 +155,7 @@ extension _CBORDecoder.SingleValueContainer: SingleValueDecodingContainer {
     }
 
     func decode(_ type: Int64.Type) throws -> Int64 {
-        guard let cbor = try? CBOR.decode(self.data.map { $0 }) else {
+        guard let cbor = try? CBOR.decode(self.data.map { $0 }, options: self.options.toCBOROptions()) else {
             let context = DecodingError.Context(codingPath: self.codingPath, debugDescription: "Invalid format: \(self.data)")
             throw DecodingError.dataCorrupted(context)
         }
@@ -167,7 +169,7 @@ extension _CBORDecoder.SingleValueContainer: SingleValueDecodingContainer {
     }
 
     func decode(_ type: UInt.Type) throws -> UInt {
-        guard let cbor = try? CBOR.decode(self.data.map { $0 }) else {
+        guard let cbor = try? CBOR.decode(self.data.map { $0 }, options: self.options.toCBOROptions()) else {
             let context = DecodingError.Context(codingPath: self.codingPath, debugDescription: "Invalid format: \(self.data)")
             throw DecodingError.dataCorrupted(context)
         }
@@ -180,7 +182,7 @@ extension _CBORDecoder.SingleValueContainer: SingleValueDecodingContainer {
     }
 
     func decode(_ type: UInt8.Type) throws -> UInt8 {
-        guard let cbor = try? CBOR.decode(self.data.map { $0 }) else {
+        guard let cbor = try? CBOR.decode(self.data.map { $0 }, options: self.options.toCBOROptions()) else {
             let context = DecodingError.Context(codingPath: self.codingPath, debugDescription: "Invalid format: \(self.data)")
             throw DecodingError.dataCorrupted(context)
         }
@@ -193,7 +195,7 @@ extension _CBORDecoder.SingleValueContainer: SingleValueDecodingContainer {
     }
 
     func decode(_ type: UInt16.Type) throws -> UInt16 {
-        guard let cbor = try? CBOR.decode(self.data.map { $0 }) else {
+        guard let cbor = try? CBOR.decode(self.data.map { $0 }, options: self.options.toCBOROptions()) else {
             let context = DecodingError.Context(codingPath: self.codingPath, debugDescription: "Invalid format: \(self.data)")
             throw DecodingError.dataCorrupted(context)
         }
@@ -206,7 +208,7 @@ extension _CBORDecoder.SingleValueContainer: SingleValueDecodingContainer {
     }
 
     func decode(_ type: UInt32.Type) throws -> UInt32 {
-        guard let cbor = try? CBOR.decode(self.data.map { $0 }) else {
+        guard let cbor = try? CBOR.decode(self.data.map { $0 }, options: self.options.toCBOROptions()) else {
             let context = DecodingError.Context(codingPath: self.codingPath, debugDescription: "Invalid format: \(self.data)")
             throw DecodingError.dataCorrupted(context)
         }
@@ -219,7 +221,7 @@ extension _CBORDecoder.SingleValueContainer: SingleValueDecodingContainer {
     }
 
     func decode(_ type: UInt64.Type) throws -> UInt64 {
-        guard let cbor = try? CBOR.decode(self.data.map { $0 }) else {
+        guard let cbor = try? CBOR.decode(self.data.map { $0 }, options: self.options.toCBOROptions()) else {
             let context = DecodingError.Context(codingPath: self.codingPath, debugDescription: "Invalid format: \(self.data)")
             throw DecodingError.dataCorrupted(context)
         }
@@ -232,7 +234,9 @@ extension _CBORDecoder.SingleValueContainer: SingleValueDecodingContainer {
     }
 
     func decode<T: Decodable>(_ type: T.Type) throws -> T {
-        let decoder = _CBORDecoder(data: self.data, options: self.options)
+        let decoder = _CBORDecoder(data: self.data, options: self.options, currentDepth: self.currentDepth + 1)
+        decoder.codingPath = self.codingPath
+        decoder.userInfo = self.userInfo
         let value = try T(from: decoder)
         if let nextIndex = decoder.container?.index {
             self.index = nextIndex