Feature Request
Add configurable deserialization size guardrails in Fory Java for untrusted payloads.
Is your feature request related to a problem? Please describe
There are currently no configurable limits for payload-driven lengths. Untrusted binary/map/list lengths can trigger large allocations and memory pressure.
Describe the solution you'd like
Add two configurable size limits to Java deserialization and enforce them in relevant preallocation-sensitive read paths.
Resolve task:
- Add only two runtime guardrail options:
max_binary_size and max_collection_size.
- Enforce
max_collection_size for collection and map reads (map uses entry count).
- Enforce
max_binary_size for binary byte-length reads.
- Do not add string size checks; string reads are excluded from this requirement.
- Return/throw a deserialization error when a configured limit is exceeded.
Describe alternatives you've considered
Relying only on process-level memory limits and runtime/allocator behavior. This is late-failing and not protocol-aware.
Additional context
Medium: no configurable size guardrails for untrusted payloads (binary/map/list lengths can drive large allocations).
Related locations:
java/fory-core/src/main/java/org/apache/fory/config/Config.java:67java/fory-core/src/main/java/org/apache/fory/serializer/collection/CollectionLikeSerializer.java:439java/fory-core/src/main/java/org/apache/fory/serializer/collection/CollectionSerializers.java:84java/fory-core/src/main/java/org/apache/fory/serializer/collection/MapSerializers.java:63
Feature Request
Add configurable deserialization size guardrails in Fory Java for untrusted payloads.
Is your feature request related to a problem? Please describe
There are currently no configurable limits for payload-driven lengths. Untrusted binary/map/list lengths can trigger large allocations and memory pressure.
Describe the solution you'd like
Add two configurable size limits to Java deserialization and enforce them in relevant preallocation-sensitive read paths.
Resolve task:
max_binary_sizeandmax_collection_size.max_collection_sizefor collection and map reads (map uses entry count).max_binary_sizefor binary byte-length reads.Describe alternatives you've considered
Relying only on process-level memory limits and runtime/allocator behavior. This is late-failing and not protocol-aware.
Additional context
Medium: no configurable size guardrails for untrusted payloads (binary/map/list lengths can drive large allocations).
Related locations:
java/fory-core/src/main/java/org/apache/fory/config/Config.java:67java/fory-core/src/main/java/org/apache/fory/serializer/collection/CollectionLikeSerializer.java:439java/fory-core/src/main/java/org/apache/fory/serializer/collection/CollectionSerializers.java:84java/fory-core/src/main/java/org/apache/fory/serializer/collection/MapSerializers.java:63