Skip to content

Limit recursion depth and bump dependencies#2405

Open
hdm wants to merge 4 commits into
mongodb:masterfrom
runZeroInc:master
Open

Limit recursion depth and bump dependencies#2405
hdm wants to merge 4 commits into
mongodb:masterfrom
runZeroInc:master

Conversation

@hdm
Copy link
Copy Markdown

@hdm hdm commented May 31, 2026

Summary

This PR addresses two issues:

  • A BSON response with deeply nested records can trigger a runtime panic (stack overflow)
  • Dependencies needed an update for security warnings

Background & Motivation

A review of the mongo-db-driver found that deeply nested BSON could consume excess resources and trigger a stack overflow. Upon creating the PR, GH complained about the dependencies being out of date.

hdm added 2 commits May 31, 2026 01:14
@hdm
Implement recursion limit in reader
161d186 
Signed-off-by: HD Moore <x@hdm.io>
@hdm
Bump dependencies for security alerts
c18e9e1 
Signed-off-by: HD Moore <x@hdm.io>
Copilot AI review requested due to automatic review settings May 31, 2026 06:20
@hdm hdm requested a review from a team as a code owner May 31, 2026 06:20
@hdm hdm requested a review from prestonvasquez May 31, 2026 06:20
@github-actions github-actions Bot added dependencies Pull requests that update a dependency file review-priority-normal Medium Priority PR for Review: within 1 business day labels May 31, 2026
Copilot AI reviewed May 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds a maximum BSON document nesting depth (100) to the value reader to prevent unbounded recursion when decoding deeply nested BSON, with accompanying tests. Also bumps the Go toolchain and several dependency versions.

Changes:

  • Track per-frame nesting depth in valueReader and return errMaxDocumentNestingDepth from ReadDocument, ReadArray, and ReadCodeWithScope when depth exceeds 100.
  • Add tests verifying that overly nested documents and arrays are rejected.
  • Bump go directive to 1.25.0 and upgrade klauspost/compress, golang.org/x/crypto, golang.org/x/sync, and golang.org/x/text.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 4 comments.

File Description
bson/value_reader.go Adds depth field to vrState, depth-check helper, and threads depth through container/element/value reads.
bson/unmarshal_test.go Adds two tests for rejecting over-deep document and array nesting.
go.mod Bumps minimum Go version to 1.25.0 and upgrades several dependencies.
go.sum Adds checksums for upgraded dependencies.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread go.mod Outdated
Comment thread bson/unmarshal_test.go Outdated
Comment thread bson/unmarshal_test.go Outdated
Comment thread bson/value_reader.go
hdm added 2 commits May 31, 2026 01:37
@hdm
Reverse unintended go version bump
b01ba42 
Signed-off-by: HD Moore <x@hdm.io>
@hdm
Address PR feedback
6031b80 
Signed-off-by: HD Moore <x@hdm.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@prestonvasquez prestonvasquez Awaiting requested review from prestonvasquez prestonvasquez is a code owner automatically assigned from mongodb/dbx-go

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file review-priority-normal Medium Priority PR for Review: within 1 business day

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hdm