JasonPatch /3 #35425
Merged
JasonPatch /3 #35425
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@mikekistler pls search for and review |
mikekistler
approved these changes
May 12, 2025
| dotnet add package Microsoft.AspNetCore.JsonPatch.SystemTextJson --prerelease | ||
| ``` | ||
|
|
||
| This package provides a `JsonPatchDocument<T>` class to represent a JSON Patch document for objects of type `T` and custom logic for serializing and deserializing JSON Patch documents using `System.Text.Json`. The key method of the `JsonPatchDocument<T>` class is `ApplyTo`, which applies the patch operations to a target object of type `T`. |
There was a problem hiding this comment.
Once the reference docs for Preview 4 are published, I think we should change the "code-style" references to .NET types to link to the ref docs.
| > [!IMPORTANT] | ||
| > ***This is not an exhaustive list of threats.*** app developers must conduct their own threat model reviews to determine an app-specific comprehensive list and come up with appropriate mitigations as needed. For example, apps which expose collections to patch operations should consider the potential for algorithmic complexity attacks if those operations insert or remove elements at the beginning of the collection. | ||
|
|
||
| By running comprehensive threat models for their own apps and addressing identified threats while following the recommended mitigations below, consumers of these packages can <!-- review removing safely --> integrate JSON Patch functionality into their apps while minimizing security risks. |
| * **Scenario**: A malicious client submits a `copy` operation that duplicates large object graphs multiple times, leading to excessive memory consumption. | ||
| * **Impact**: Potential Out-Of-Memory (OOM) conditions, causing service disruptions. | ||
| * **Mitigation**: | ||
| * Validate incoming JSON Patch documents for size and structure <!-- review my removing: before applying the document --> before calling `ApplyTo`. |
Co-authored-by: Mike Kistler <[email protected]>
This was referenced May 12, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #35373
New JsonPatch Implementation with System.Text.Json
Internal previews