Update dependency Newtonsoft.Json to v13 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
Newtonsoft.Json (source)	10.0.2 -> 13.0.1

GitHub Vulnerability Alerts

CVE-2024-21907

Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of expressions with high nesting level that lead to StackOverFlow exception or high CPU and RAM usage. Exploiting this vulnerability results in Denial Of Service (DoS).

The serialization and deserialization path have different properties regarding the issue.

Deserializing methods (like JsonConvert.DeserializeObject) will process the input that results in burning the CPU, allocating memory, and consuming a thread of execution. Quite high nesting level (>10kk, or 9.5MB of {a:{a:{... input) is needed to achieve the latency over 10 seconds, depending on the hardware.

Serializing methods (like JsonConvert.Serialize or JObject.ToString) will throw StackOverFlow exception with the nesting level of around 20k.

To mitigate the issue one either need to update Newtonsoft.Json to 13.0.1 or set MaxDepth parameter in the JsonSerializerSettings. This can be done globally with the following statement. After that the parsing of the nested input will fail fast with Newtonsoft.Json.JsonReaderException:

JsonConvert.DefaultSettings = () => new JsonSerializerSettings { MaxDepth = 128 };

Repro code:

//Create a string representation of an highly nested object (JSON serialized)
int nRep = 25000;
string json = string.Concat(Enumerable.Repeat("{a:", nRep)) + "1" +
 string.Concat(Enumerable.Repeat("}", nRep));

//Parse this object (leads to high CPU/RAM consumption)
var parsedJson = JsonConvert.DeserializeObject(json);

// Methods below all throw stack overflow with nRep around 20k and higher
// string a = parsedJson.ToString();
// string b = JsonConvert.SerializeObject(parsedJson);

Additional affected product and version information

The original statement about the problem only affecting IIS applications is misleading. Any application is affected, however the IIS has a behavior that stops restarting the instance after some time resulting in a harder-to-fix DoS.**

---

Release Notes

JamesNK/Newtonsoft.Json (Newtonsoft.Json)

v13.0.1

Compare Source

• New feature - Add JsonSelectSettings with configuration for a regex timeout
• Change - Remove portable assemblies from NuGet package
• Change - JsonReader and JsonSerializer MaxDepth defaults to 64
• Change - Change InvalidCastException to JsonSerializationException on mismatched JToken
• Fix - Fixed throwing missing member error on ignored fields
• Fix - Fixed various nullable annotations
• Fix - Fixed annotations not being copied when tokens are cloned
• Fix - Fixed naming strategy not being used when deserializing dictionary enum keys
• Fix - Fixed serializing nullable struct dictionaries
• Fix - Fixed JsonWriter.WriteToken to allow null with string token
• Fix - Fixed missing error when deserializing JToken with a contract type mismatch
• Fix - Fixed JTokenWriter when writing comment to an object

v12.0.3

Compare Source

• New feature - Added support for nullable reference types
• New feature - Added KebabCaseNamingStrategy
• Change - Package now uses embedded package icon
• Fix - Fixed bug when merging JToken with itself
• Fix - Fixed performance of calling ICustomTypeDescriptor.GetProperties
• Fix - Fixed serializing Enumerable.Empty and empty arrays on .NET Core 3.0
• Fix - Fixed deserializing some collection types with constructor
• Fix - Fixed deserializing IImmutableSet to ImmutableHashSet instead of ImmutableSortedSet
• Fix - Fixed deserializing IImmutableDictionary to ImmutableDictionary instead of ImmutableSortedDictionary
• Fix - Fixed deserializing into constructors with more than 256 parameters
• Fix - Fixed hang when deserializing JTokenReader with preceding comment
• Fix - Fixed JSONPath scanning with nested indexer
• Fix - Fixed deserializing incomplete JSON object to JObject
• Fix - Fixed using StringEnumConverter with naming strategy and specified values

v12.0.2

Compare Source

• New feature - Added MissingMemberHandling to JsonObjectAttribute and JsonObjectContract
• New feature - Added constructor to JTokenReader to specify initial path
• New feature - Added JsonProperty.IsRequiredSpecified
• New feature - Added JsonContract.InternalConverter
• Change - Moved embedded debug symbols in NuGet package to a symbol package on NuGet.org
• Fix - Fixed deserializing nullable struct collections
• Fix - Fixed memory link when serializing enums to named values
• Fix - Fixed error when setting JsonLoadSettings.DuplicatePropertyNameHandling to Replace

v12.0.1

Compare Source

• New feature - Added NuGet package signing
• New feature - Added Authenticode assembly signing
• New feature - Added SourceLink support
• New feature - Added constructors to StringEnumConverter for setting AllowIntegerValue
• New feature - Added JsonNameTable and JsonTextReader.PropertyNameTable
• New feature - Added line information to JsonSerializationException
• New feature - Added JObject.Property overload with a StringComparison
• New feature - Added JsonMergeSettings.PropertyNameComparison
• New feature - Added support for multiple Date constructors with JavaScriptDateTimeConverter
• New feature - Added support for strict equals and strict not equals in JSON Path queries
• New feature - Added EncodeSpecialCharacters setting to XmlNodeConverter
• New feature - Added trace message for serializing to non-writable properties
• New feature - Added support for NamingStrategy to StringEnumConverter
• New feature - Added JsonLoadSettings.DuplicatePropertyNameHandling setting
• Change - JTokenReader now uses JsonReader.DateTimeZoneHandling setting for date values
• Change - Excluded TargetSite when serializing Exceptions without SerializableAttribute
• Change - Changed StringEnumConverter.ctor(bool camelCaseText) to obsolete
• Change - Changed StringEnumConverter.CamelCaseText to obsolete
• Fix - Fixed incorrect overflow when reading decimal values from JSON
• Fix - Fixed error message when trying to deserialize an abstract serializable type
• Fix - Fixed parsing decimals from a string with an exponent
• Fix - Fixed losing DateTime.Kind when deserializing ISO date strings
• Fix - Fixed calling constructors with ref and in parameters
• Fix - Fixed rare race condition in name table when serializing
• Fix - Fixed unhelpful exception message when unable to convert JSON value to DateTime
• Fix - Fixed error when deserializing empty array in DataTable
• Fix - Fixed deserializing empty string to empty byte array
• Fix - Fixed blank extension data values with required properties and deserializing with constructor
• Fix - Fixed ignored values being set in extension data when deserializing
• Fix - Fixed comparing equal integer and floating point values in JSON Path
• Fix - Fixed BsonReader when reading multiple content
• Fix - Fixed setting extension data with existing key
• Fix - Fixed including array attribute in XML with namespaces when converting JSON to XML
• Fix - Fixed error when serializing ref struct properties by excluding them from serialization

v11.0.2

Compare Source

• Change - Revert DataContractAttribute to not force JSON object serialization (use JsonObjectAttribute instead)
• Fix - Fixed JPropertyDesciptor.GetValue and SetValue to not throw for non-JObject argument
• Fix - Fixed JObject ICustomTypeDescriptor.GetProperty to return the current instance
• Fix - Fixed serializing FileInfo/DirectoryInfo with a JsonConverter in .NET Standard
• Fix - Fixed serializing F# enums
• Fix - Fixed serializing types with multiple members of the same name

v11.0.1

Compare Source

• New feature - Added netstandard2.0 build
• New feature - Added generic JsonConverter
• New feature - Added UnixDateConverter for converting Unix timestaps
• New feature - Added support for regex operator in JSON Paths
• New feature - Added JsonObjectAttribute.ItemNullValueHandling
• New feature - Added JsonObjectContract.ItemNullValueHandling
• New feature - Improved performance when resolving serialization contracts by using ConcurrentDictionary
• New feature - Improved performance of JToken.Path with a faster reverse
• New feature - Improved performance of parsing Int32 JSON integer values
• New feature - Improved performance of parsing and writing enum names
• New feature - Added IgnoreIsSpecifiedMembers to DefaultContractResolver
• New feature - Added IgnoreShouldSerializeMembers to DefaultContractResolver
• New feature - Added support for reading multiple comma delimited values with JsonReader.SupportMultipleContent
• New feature - Improved error message when an object is reused with PreserveReferencesHandling
• New feature - Added IConvertible support to netstandard1.3
• New feature - Added INotifyPropertyChanging support to netstandard1.3
• New feature - Optimized internal buffering when writing very large strings
• New feature - JObject.ContainsKey is now public
• New feature - Improved the error message when serialized ByRef properties
• New feature - Improved the error message when serializing FileInfo/DictionaryInfo without ISerializable
• New feature - Improved the error message when failing conversion in JsonReader.ReadAsInt32 and JsonReader.ReadAsDecimal
• New feature - Improved the error message when deserializing badly formatted regex strings
• Change - Types that implement ISerializable but don't have [SerializableAttribute] are not serialized using ISerializable
• Change - Changed JsonProperty.MemberConverter to obsolete
• Change - Changed camel casing logic for all caps words to not leave last character capitalized
• Change - Changed enum serialization in dictionary keys to use EnumMemberAttribute
• Fix - Fixed converting default datetime in JSON to XML on netstandard1.3
• Fix - Fixed deserializing ObservableCollection in .NET Core 2.0
• Fix - Fixed incorrectly allowing static IsSpecified properties
• Fix - Fixed not preserving trailing zeros when deserializing decimals
• Fix - Fixed JValue.CompareTo with number and string values
• Fix - Fixed not erroring when reading undefined for nullable long
• Fix - Fixed serializing immutable collections when .NET 4.0 or previous Newtonsoft.Json assembly is GACed
• Fix - Fixed writing null values by XmlNodeConverter and RegexConverter
• Fix - Fixed deserializing with a TraceWriter when the reader is not at the start
• Fix - Fixed TraceJsonWriter.WriteValue(object) writing value twice
• Fix - Fixed deserializing with constructor and readonly collection property
• Fix - Fixed error when writing unknown null value as JSON
• Fix - Fixed merging null string values
• Fix - Fixed missing CancellationToken usages in JsonTextWriter.WriteAsync
• Fix - Fixed error with JsonSerializer.Populate and comments in JSON array
• Fix - Fixed error handling when deserializing certain dictionary and lists
• Fix - Fixed serializing collection that is nullable
• Fix - Fixed JsonTextReader sync read in async method
• Fix - Fixed JsonConverter not called when target type is list and token is a string
• Fix - Fixed serializing a property that is defined in multiple interfaces
• Fix - Fixed error when deserializing null value into ConcurrentDictionary
• Fix - Fixed escaping special characters in generated JSON Paths
• Fix - Fixed reading escaped special characters in JSON Paths
• Fix - Fixed using extension data with dictionary that explicitly implements Add method
• Fix - Fixed parsing enum name to exact casing value before falling back to case-insensitive value
• Fix - Fixed DataContractAttribute not forcing object serialization of classes
• Fix - Fixed bug when deserializing into existing non-IList collection
• Fix - Fixed bug when deserializing into existing non-IDictionary collection
• Fix - Fixed JsonReader.ReadAsInt32 with BigInteger values

v10.0.3

Compare Source

• New feature - Added support for deserializing XmlElement, XmlNode, XObject, XNode and XContainer with XmlNodeConverter
• Change - MinClientVersion 2.12 added to NuGet package to restrict to compatible clients
• Fix - Fixed JsonSerializer.Binder to not throw an error when binder instance is compatible
• Fix - Fixed stack overflow when deserializing incomplete JSON to XML
• Fix - Fixed JSON Path recursive descent queries
• Fix - Fixed serializing ConcurrentDictionary in .NET Core 2.0
• Fix - Fixed serializing ConcurrentStack/Queue/Bag
• Fix - Fixed MemoryTraceWriter thread safety
• Fix - Fixed JSON Path root filter sometimes not correctly returning root token
• Fix - Fixed properties with JsonIgnore not being ignored with ItemRequired
• Fix - Fixed JToken.Load not reading past comment when CommentHandling is Ignore
• Fix - Fixed JsonReader.ReadAsDecimal with a JValue containing a BigInteger value
• Fix - Fixed converting JSON values to XML attributes to ignore current culture
• Fix - Fixed converting JSON byte array data to XML
• Fix - Fixed reading some types from KeyValuePairConverter incorrectly
• Fix - Fixed comparing high precision decimal JValues
• Fix - Fixed JsonWriter.WriteToken(JsonReader) not erroring on incomplete token
• Fix - Fixed not preventing negative integers with StringEnumConverters.AllowIntegerValues

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud