Allow specifying a maximum recursion for the deserializer

[aaubry]

This adds a WithMaximumRecursion method to DeserializerBuilder. It allows to limit the maximum allowed depth when deserializing a document. This is particularly useful when parsing untrusted YAML as allowing unbounded depth may lead to a stack overflow which might crash the process.

The signature of the method is the same as the one on SerializerBuilder, but in this case there is no default limit as adding one would be a breaking change.

I did reuse the existing RecursionLevel class to control the recursion but had to make a few adjustments as I felt it was useful to have the start and end markers in the exception. It was also necessary to add an overload to the SerializerState class to enable constructors with parameters.

I have added a few tests for both methods since the one on SerializerBuilder didn't have any.

[EdwardCooke]

Well that build failure is unfortunate. I suspect a breaking change or something in gitversion. Looks like an environment variable can be set to fix that. Not sure appveyor works, but I'll see if I can set something.

[EdwardCooke]

Also, there's a static deserializer builder now that will need to be updated.

[EdwardCooke]

PR build should be fixed again.

[aaubry]

Thanks for the review, I'll work on the comments in the next days.

[skdishansachin]

@aaubry,

I also ran into this security issue recently and was about to file a security report when I saw your PR great timing!

Since this is a DoS vulnerability that can crash apps via stack overflow, it’d be grate to prioritize getting this merged and released. After that, maybe a Security Advisory would help the community know and update safely.

Really appreciate a quick fix!

[skdishansachin]

I’ve opened a follow-up PR (#1082) that builds on this and adds the missing StaticDeserializerBuilder.cs changes mentioned in review.

[EdwardCooke]

@aaubry the NuGet API key has expired. Can you refresh it?

[fdcastel]

#1082 is merged. Can we close this one?