[Flight] Add more DoS mitigations to Flight Reply, and harden Flight

[everettbu]

Mirror of facebook/react#35632
Original author: unstubbable

---

This fixes security vulnerabilities in Server Functions.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR implements comprehensive security hardening for React Server Functions to prevent DoS attacks and prototype pollution vulnerabilities. The changes add multiple layers of protection:

Key Security Mitigations:

• Array nesting limits: Tracks nested array depth/size (default 1M elements) to prevent memory exhaustion from deeply nested structures. Uses NestedArrayContext to track cumulative size across arrays, strings, typed arrays, and BigInts.
• BigInt size limits: Restricts BigInt values to 300 digits to prevent CPU exhaustion from parsing extremely large numbers.
• Bound arguments limits: Caps server function bound arguments at 1,000 to prevent resource exhaustion.
• Prototype pollution prevention: Filters __proto__ keys throughout serialization/deserialization to prevent object prototype manipulation attacks.
• Forward reference prevention: Rejects forward references in PENDING chunks to prevent circular dependency exploits.
• Deduplication enforcement: Prevents multiple initialization of Maps, Sets, and Iterators using $$consumed flag to avoid resource amplification.
• Server reference deduplication: Caches server reference promises to prevent duplicate deserialization overhead.
• FormData iteration safety: Clones keys before iteration to avoid delete-while-iterating bugs.
• Stream validation: Validates bytes stream data types to prevent type confusion attacks.

Implementation Quality:

• Limits are configurable via arraySizeLimit option in all decodeReply functions across all bundler configurations (webpack, turbopack, parcel, esm, unbundled).
• Error messages are clear and actionable (codes 571-581 added).
• Changes maintain backward compatibility with optional parameters.
• Security checks are positioned at the right layer to catch attacks early.

The implementation follows security best practices with defense-in-depth and fail-safe defaults.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk - implements critical security hardening for Server Functions
• The changes implement multiple well-designed DoS mitigations and security hardening measures. All protections follow defense-in-depth principles with configurable limits. The code properly validates inputs, prevents prototype pollution, implements resource consumption limits, and adds deduplication to prevent abuse. The changes are consistent across all bundler configurations and include appropriate error messages.
• No files require special attention - all changes implement consistent security patterns

Important Files Changed

Filename	Overview
packages/react-server/src/ReactFlightReplyServer.js	Added multiple DoS mitigations: array nesting limits, BigInt size limits, bound args limits, proto protection, and deduplication of Maps/Sets/Iterators to prevent resource exhaustion attacks
packages/react-client/src/ReactFlightClient.js	Added proto key filtering and improved reference validation to prevent prototype pollution attacks
packages/react-server/src/ReactFlightActionServer.js	Added bound args limit validation, duplicate action prevention, and improved server reference loading to prevent DoS attacks
packages/react-client/src/ReactFlightReplyClient.js	Added server reference deduplication and proto warnings to prevent duplicate serialization and prototype pollution
packages/react-server/src/ReactFlightServer.js	Added proto detection and warning when serializing objects to prevent accidental prototype pollution

[greptile-apps]

_{No files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[everettbu]

Upstream PR was closed or merged. Code is synced via branch mirror.