Document JSON listener configuration under important changes (#830)

Document JSON listener configuration under important changes for
versions 1.16.x, 1.18.x, 1.19.x, 1.20.x

Related JIRA task: https://hashicorp.atlassian.net/browse/VAULT-38804

Author: biazmoreira

content/vault/global/partials/important-changes/summary-tables/1_16.mdx

@@ -19,6 +19,7 @@ Introduced | Recommendations | Edition    | Change
 1.16.0     | **Yes**         | All        | [Secrets Sync cannot be activated from chroot namespace](/vault/docs/v1.16.x/updates/important-changes#secrets-sync-cannot-be-activated-from-chroot-namespace)
 1.16.0     | No              | Enterprise | [Secrets Sync now requires setting a one-time flag before use](/vault/docs/v1.16.x/updates/important-changes#secrets-sync-now-requires-setting-a-one-time-flag-before-use)
 1.16.18    | No              | All        | [Strict validation for Azure auth login requests](/vault/docs/v1.16.x/updates/important-changes#strict-azure)
+1.16.25    | No              | All        | [JSON Payload Limits](/vault/docs/v1.16.x/updates/important-changes#json-limits)
 
 
 ### Known issues

content/vault/global/partials/important-changes/summary-tables/1_18.mdx

@@ -19,6 +19,7 @@ Introduced | Recommendations | Edition    | Change
 1.18.0     | **Yes**         | All        | [Docker image no longer contains curl](/vault/docs/v1.18.x/updates/important-changes#docker-image-no-longer-contains-curl)
 1.18.2     | **Yes**         | All        | [Anonymous product usage metrics collection](/vault/docs/v1.18.x/updates/important-changes#product-usage-reporting)
 1.18.7     | No              | All        | [Strict validation for Azure auth login requests](/vault/docs/v1.18.x/updates/important-changes#azure-auth-plugin-requires-resource_group_name-vm_name-and-vmss_name-to-match-the-jwt-claims-on-login)
+1.18.14    | No              | All        | [JSON Payload Limits](/vault/docs/v1.18.x/updates/important-changes#json-limits)
 
 
 ### Known issues

content/vault/global/partials/important-changes/summary-tables/1_19.mdx

@@ -22,6 +22,7 @@ Introduced | Recommendations | Edition    | Change
 1.19.0     | No              | All        | [RADIUS authentication is no longer case sensitive](/vault/docs/v1.19.x/updates/important-changes#case-sensitive)
 1.19.0     | No              | All        | [Transit support for Ed25519ph and Ed25519ctx signatures](/vault/docs/v1.19.x/updates/important-changes#ed25519)
 1.19.1     | **Yes**         | All        | [Strict validation for Azure auth login requests](/vault/docs/v1.19.x/updates/important-changes#strict-azure)
+1.19.9     | No              | All        | [JSON Payload Limits](/vault/docs/v1.19.x/updates/important-changes#json-limits)
 
 
 ### Known issues

content/vault/global/partials/important-changes/summary-tables/1_20.mdx

@@ -14,6 +14,8 @@ Introduced | Recommendations | Edition    | Change
 ---------- | --------------- | ---------- | ------
 1.20.0     | **Yes**         | All        | [Key pair authentication for Snowflake DB secrets engine](/vault/docs/v1.20.x/updates/important-changes#snowflake-keypair-auth)
 1.20.0     | **Yes**         | All        | [Audience warning for Kubernetes authentication roles](#k8-audience-warning)
+1.20.3     | No              | All        | [JSON Payload Limits](/vault/docs/v1.20.x/updates/important-changes#json-limits)
+
 
 
 ### Known issues

content/vault/v1.16.x/content/api-docs/index.mdx

@@ -316,4 +316,19 @@ A maximum request size of 32MB is imposed to prevent a denial of service attack
 with arbitrarily large requests; this can be tuned per `listener` block in
 Vault's server configuration file.
 
+Vault also supports several listener options to enforce payload size limits for to incoming JSON
+request bodies.
+
+You can configure the payload limits individullly on each listener and give
+administrators granular control over the:
+
+- maximum allowed nesting depth of a JSON object or array (`max_json_depth`).
+- maximum allowed length for any single string value in the payload (`max_json_string_value_length`.)
+- maximum number of key-value pairs allowed in a single JSON object (`max_json_object_entry_count`).
+- maximum number of elements permitted in a single JSON array `max_json_array_element_count`.
+
+The configuration defaults provide intentionally generous limits to accommodate
+a wide range of legitimate use cases while still guarding against most malicious
+or malformed requests.
+
 [proxy]: /vault/docs/agent-and-proxy/proxy#listener-stanza

content/vault/v1.18.x/content/api-docs/index.mdx

@@ -340,4 +340,19 @@ A maximum request size of 32MB is imposed to prevent a denial of service attack
 with arbitrarily large requests; this can be tuned per `listener` block in
 Vault's server configuration file.
 
+Vault also supports several listener options to enforce payload size limits for to incoming JSON
+request bodies.
+
+You can configure the payload limits individullly on each listener and give
+administrators granular control over the:
+
+- maximum allowed nesting depth of a JSON object or array (`max_json_depth`).
+- maximum allowed length for any single string value in the payload (`max_json_string_value_length`.)
+- maximum number of key-value pairs allowed in a single JSON object (`max_json_object_entry_count`).
+- maximum number of elements permitted in a single JSON array `max_json_array_element_count`.
+
+The configuration defaults provide intentionally generous limits to accommodate
+a wide range of legitimate use cases while still guarding against most malicious
+or malformed requests.
+
 [proxy]: /vault/docs/agent-and-proxy/proxy#listener-stanza

content/vault/v1.18.x/content/docs/upgrading/upgrade-to-1.16.x.mdx

@@ -2,8 +2,8 @@
 layout: docs
 page_title: Upgrade to Vault 1.16.x - Guides
 description: |-
-  Deprecations, important or breaking changes, and remediation recommendations
-  for anyone upgrading to 1.16.x from Vault 1.15.x.
+    Deprecations, important or breaking changes, and remediation recommendations
+    for anyone upgrading to 1.16.x from Vault 1.15.x.
 ---
 
 # Overview
@@ -18,6 +18,31 @@ Vault 1.15. **Please read carefully**.
 
 ## Important changes
 
+### JSON Payload Limits ((#json-limits))
+
+| Change       | Affected version                 | Vault edition |
+|--------------|----------------------------------|---------------|
+| New behavior | 1.16.25, 1.18.14, 1.19.9, 1.20.3 | All           |
+|              |                                  |               |
+|              |                                  |               |
+
+To guard against potential Denial-of-Service (DoS) attacks, Vault now supports
+several listener options to enforce payload size limits for to incoming JSON
+request bodies.
+
+You can configure the payload limits individullly on each listener and give
+administrators granular control over the:
+
+- maximum allowed nesting depth of a JSON object or array (`max_json_depth`).
+- maximum allowed length for any single string value in the payload (`max_json_string_value_length`.)
+- maximum number of key-value pairs allowed in a single JSON object (`max_json_object_entry_count`).
+- maximum number of elements permitted in a single JSON array `max_json_array_element_count`.
+
+The configuration defaults provide intentionally generous limits to accommodate
+a wide range of legitimate use cases while still guarding against most malicious
+or malformed requests.
+
+
 ### Strict validation for Azure auth login requests ((#strict-azure))
 
 | Change       | Affected version
@@ -54,9 +79,9 @@ more details on plugin environment variables.
 
 <Highlight title="Avoid conflicts with containerized plugins">
 
-  Containerized plugins do not inherit system-defined environment variables. As
-  a result, containerized plugins cannot have conflicts with Vault environment
-  variables.
+    Containerized plugins do not inherit system-defined environment variables. As
+    a result, containerized plugins cannot have conflicts with Vault environment
+    variables.
 
 </Highlight>
 
@@ -73,10 +98,10 @@ $ export VAULT_PLUGIN_USE_LEGACY_ENV_LAYERING=true
 Setting `VAULT_PLUGIN_USE_LEGACY_ENV_LAYERING` to `true` tells Vault to:
 
 1. prioritize environment variables from the Vault server environment whenever
-   the system detects a variable conflict.
+the system detects a variable conflict.
 1. report on plugin variable conflicts during the unseal process by printing
-   warnings for plugins with conflicting environment variables or logging an
-   informational entry when there are no conflicts.
+warnings for plugins with conflicting environment variables or logging an
+informational entry when there are no conflicts.
 
 For example, assume you set `VAULT_PLUGIN_USE_LEGACY_ENV_LAYERING` to `true`
 and have an environment variable `SOURCE=parent`.
@@ -136,14 +161,14 @@ endpoint, will result in the following warning from Vault:
 
 <CodeBlockConfig hideClipboard>
 
-  ```shell-session
+    ```shell-session
 
-  WARNING! The following warnings were returned from Vault:
+    WARNING! The following warnings were returned from Vault:
 
-  * default_report_months is deprecated: defaulting to billing start time
+    * default_report_months is deprecated: defaulting to billing start time
 
 
-  ```
+    ```
 
 </CodeBlockConfig>
 
@@ -155,14 +180,15 @@ Attempts to set `current_billing_period` will result in the following warning fr
 
 <CodeBlockConfig hideClipboard>
 
-  ```shell-session
+    ```shell-session
 
-  WARNING! The following warnings were returned from Vault:
+    WARNING! The following warnings were returned from Vault:
 
-  * current_billing_period is deprecated; unless otherwise specified, all requests will default to the current billing period
+    * current_billing_period is deprecated; unless otherwise specified, all requests will default to the current billing
+    period
 
 
-  ```
+    ```
 
 </CodeBlockConfig>
 

content/vault/v1.18.x/content/docs/upgrading/upgrade-to-1.18.x.mdx

@@ -18,6 +18,30 @@ Vault 1.17. **Please read carefully**.
 
 ## Important changes
 
+### JSON Payload Limits ((#json-limits))
+
+| Change       | Affected version                 | Vault edition |
+|--------------|----------------------------------|---------------|
+| New behavior | 1.16.25, 1.18.14, 1.19.9, 1.20.3 | All           |
+|              |                                  |               |
+|              |                                  |               |
+
+To guard against potential Denial-of-Service (DoS) attacks, Vault now supports
+several listener options to enforce payload size limits for to incoming JSON
+request bodies.
+
+You can configure the payload limits individullly on each listener and give
+administrators granular control over the:
+
+- maximum allowed nesting depth of a JSON object or array (`max_json_depth`).
+- maximum allowed length for any single string value in the payload (`max_json_string_value_length`.)
+- maximum number of key-value pairs allowed in a single JSON object (`max_json_object_entry_count`).
+- maximum number of elements permitted in a single JSON array `max_json_array_element_count`.
+
+The configuration defaults provide intentionally generous limits to accommodate
+a wide range of legitimate use cases while still guarding against most malicious
+or malformed requests.
+
 ### Rekey cancellations use a nonce ((#rekey-cancel-nonce))
 | Change       | Affected version | Affected deployments
 | ------------ | ---------------- | --------------------

content/vault/v1.19.x/content/api-docs/index.mdx

@@ -340,4 +340,19 @@ A maximum request size of 32MB is imposed to prevent a denial of service attack
 with arbitrarily large requests; this can be tuned per `listener` block in
 Vault's server configuration file.
 
+Vault also supports several listener options to enforce payload size limits for to incoming JSON
+request bodies.
+
+You can configure the payload limits individullly on each listener and give
+administrators granular control over the:
+
+- maximum allowed nesting depth of a JSON object or array (`max_json_depth`).
+- maximum allowed length for any single string value in the payload (`max_json_string_value_length`.)
+- maximum number of key-value pairs allowed in a single JSON object (`max_json_object_entry_count`).
+- maximum number of elements permitted in a single JSON array `max_json_array_element_count`.
+
+The configuration defaults provide intentionally generous limits to accommodate
+a wide range of legitimate use cases while still guarding against most malicious
+or malformed requests.
+
 [proxy]: /vault/docs/agent-and-proxy/proxy#listener-stanza

content/vault/v1.19.x/content/docs/updates/important-changes.mdx

@@ -22,6 +22,30 @@ before upgrading Vault.
 
 ## New behavior
 
+### JSON Payload Limits ((#json-limits))
+
+| Change       | Affected version                 | Vault edition |
+|--------------|----------------------------------|---------------|
+| New behavior | 1.16.25, 1.18.14, 1.19.9, 1.20.3 | All           |
+|              |                                  |               |
+|              |                                  |               |
+
+To guard against potential Denial-of-Service (DoS) attacks, Vault now supports
+several listener options to enforce payload size limits for to incoming JSON
+request bodies.
+
+You can configure the payload limits individullly on each listener and give
+administrators granular control over the:
+
+- maximum allowed nesting depth of a JSON object or array (`max_json_depth`).
+- maximum allowed length for any single string value in the payload (`max_json_string_value_length`.)
+- maximum number of key-value pairs allowed in a single JSON object (`max_json_object_entry_count`).
+- maximum number of elements permitted in a single JSON array `max_json_array_element_count`.
+
+The configuration defaults provide intentionally generous limits to accommodate
+a wide range of legitimate use cases while still guarding against most malicious
+or malformed requests.
+
 ### Transit support for Ed25519ph and Ed25519ctx signatures ((#ed25519))
 
 | Change       | Affected version | Fixed version