Set max depth for JSON serializer to mitigate known DOS vulnerability (#902)

andyleejordan · web-flow · commit 7fd2219f194a · 2022-12-02T14:31:07.000-05:00
The other option is to update Newtonsoft.Json, which now also sets the
maximum depth by default, but this mitigates without having to update.
diff --git a/src/JsonRpc/Serialization/SerializerBase.cs b/src/JsonRpc/Serialization/SerializerBase.cs
@@ -19,7 +19,7 @@ protected virtual JsonSerializer CreateSerializer()
 
         protected virtual JsonSerializerSettings CreateSerializerSettings()
         {
-            var settings = JsonConvert.DefaultSettings != null ? JsonConvert.DefaultSettings() : new JsonSerializerSettings();
+            var settings = JsonConvert.DefaultSettings != null ? JsonConvert.DefaultSettings() : new JsonSerializerSettings { MaxDepth = 128 };
             AddOrReplaceConverters(settings.Converters);
             return _settings = settings;
         }

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ protected virtual JsonSerializer CreateSerializer()`
`19`	`19`
`20`	`20`	`protected virtual JsonSerializerSettings CreateSerializerSettings()`
`21`	`21`	`{`
`22`		`- var settings = JsonConvert.DefaultSettings != null ? JsonConvert.DefaultSettings() : new JsonSerializerSettings();`
	`22`	`+ var settings = JsonConvert.DefaultSettings != null ? JsonConvert.DefaultSettings() : new JsonSerializerSettings { MaxDepth = 128 };`
`23`	`23`	`AddOrReplaceConverters(settings.Converters);`
`24`	`24`	`return _settings = settings;`
`25`	`25`	`}`