Skip to content

AspNetCore: Add DataContractSerializer options for configurable reader quotas#578

Draft
Copilot wants to merge 6 commits into
mainfrom
copilot/add-datacontractserializer-options-again
Draft

AspNetCore: Add DataContractSerializer options for configurable reader quotas#578
Copilot wants to merge 6 commits into
mainfrom
copilot/add-datacontractserializer-options-again

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 19, 2026
edited
Loading

Exposes per-format serializer options so hosts can restrict XML reader quotas to mitigate denial-of-service (DoS) risks. By default all quotas remain at Max (current behavior unchanged).

New public API

Options classes (Serialization/DataContractSerializerOptions.cs):

  • DataContractSerializerOptions — base class with ReaderQuotas (XmlDictionaryReaderQuotas, mutable, defaults to max values)
  • BinaryDataContractSerializerOptions : DataContractSerializerOptions
  • XmlDataContractSerializerOptions : DataContractSerializerOptions

Builder methods (OpenRiaServicesOptionsBuilder):

  • AddXmlSerialization(Action<XmlDataContractSerializerOptions>? configure, bool defaultProvider = false) — new overload; existing AddXmlSerialization(bool) delegates to it
  • ConfigureBinarySerialization(Action<BinaryDataContractSerializerOptions> configure) — replaces the default binary provider in-place, preserving shared DataContractCache
builder.Services.AddOpenRiaServices()
    .ConfigureBinarySerialization(o =>
    {
        o.ReaderQuotas = new XmlDictionaryReaderQuotas { MaxStringContentLength = 1 * 1024 * 1024 };
    })
    .AddXmlSerialization(o =>
    {
        o.ReaderQuotas = new XmlDictionaryReaderQuotas { MaxStringContentLength = 1 * 1024 * 1024 };
    });

Internal wiring

  • BinaryMessageReader.Rent() accepts XmlDictionaryReaderQuotas and applies them on every call (thread-static cache remains safe — SetInput reinitializes with the provided quotas each time)
  • DataContractRequestSerializer stores _readerQuotas from its provider's options and passes them through to BinaryMessageReader.Rent()
  • BinaryXmlSerializationProvider / TextXmlSerializationProvider each hold their own options instance and pass it to every created serializer
  • DataContractSerializationProvider.CopyDataContractCacheFrom() replaces direct internal-field access for cache sharing

Copilot AI linked an issue May 19, 2026 that may be closed by this pull request
AspNetCore: Add DataContractSerializer options #577
Open
Copilot AI and others added 5 commits May 19, 2026 21:27
@Daniel-Svensson
Add DataContractSerializer options for configuring XML/binary reader …
46c212b 
…quotas

Agent-Logs-Url: https://github.com/OpenRIAServices/OpenRiaServices/sessions/5a0cc47c-e686-4199-838a-29c01beb0bcf

Co-authored-by: Daniel-Svensson <3167509+Daniel-Svensson@users.noreply.github.com>
@Daniel-Svensson
Remove accidentally committed environment-specific symlinks
f4c2372 
Agent-Logs-Url: https://github.com/OpenRIAServices/OpenRiaServices/sessions/5a0cc47c-e686-4199-838a-29c01beb0bcf

Co-authored-by: Daniel-Svensson <3167509+Daniel-Svensson@users.noreply.github.com>
@Daniel-Svensson
Address code review: use encapsulated cache transfer method, remove u…
6aacce5 
…nused helpers

Agent-Logs-Url: https://github.com/OpenRIAServices/OpenRiaServices/sessions/5a0cc47c-e686-4199-838a-29c01beb0bcf

Co-authored-by: Daniel-Svensson <3167509+Daniel-Svensson@users.noreply.github.com>
@Daniel-Svensson
Remove committed symlinks and add them to .gitignore
3f1dfdf 
Agent-Logs-Url: https://github.com/OpenRIAServices/OpenRiaServices/sessions/5a0cc47c-e686-4199-838a-29c01beb0bcf

Co-authored-by: Daniel-Svensson <3167509+Daniel-Svensson@users.noreply.github.com>
@Daniel-Svensson
Fix minor review comments: improve doc wording and DoS acronym in README
ac7fd06 
Agent-Logs-Url: https://github.com/OpenRIAServices/OpenRiaServices/sessions/5a0cc47c-e686-4199-838a-29c01beb0bcf

Co-authored-by: Daniel-Svensson <3167509+Daniel-Svensson@users.noreply.github.com>
Copilot AI changed the title [WIP] Add DataContractSerializer options to ASP.NET Core AspNetCore: Add DataContractSerializer options for configurable reader quotas May 19, 2026
Copilot AI requested a review from Daniel-Svensson May 19, 2026 21:32
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 19, 2026

Quality Gate Passed Quality Gate passed

Issues
6 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Daniel-Svensson Daniel-Svensson Awaiting requested review from Daniel-Svensson

Assignees

@Daniel-Svensson Daniel-Svensson

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

AspNetCore: Add DataContractSerializer options

2 participants

@Daniel-Svensson