ironic.api.middleware.json_depth module¶

Middleware to reject oversized or excessively nested JSON bodies.

Python’s json.loads() uses recursive descent parsing. A maliciously crafted deeply-nested payload can exhaust the call stack and crash the API worker process with a RecursionError. This middleware checks the Content-Length header and scans the raw request body bytes iteratively before any JSON parser runs, rejecting payloads that exceed a configurable body size or nesting depth.

class ironic.api.middleware.json_depth.JsonDepthMiddleware(app, max_depth=25, max_body_size=None, max_provision_size=None, max_inspection_size=None)[source]¶

Bases: object

Reject JSON request bodies that are too large or nested.

__call__(environ, start_response)[source]¶: Call self as a function.

ironic.api.middleware.json_depth.check_depth(raw, max_depth)[source]¶

Check that JSON nesting depth does not exceed max_depth.

Scans raw bytes iteratively with no recursion. Tracks string boundaries and escape sequences so that brackets inside JSON string values are not counted.

Parameters:

raw – Raw JSON bytes.
max_depth – Maximum allowed nesting depth.

Returns:

True if depth is within the limit, False otherwise.

ironic.api.middleware.json_depth module

ironic.api.middleware.json_depth module¶

ironic 35.0.1

Page Contents