From 16f7a9e5e36e68c6146cbb03df2c77d2b1c3e047 Mon Sep 17 00:00:00 2001
From: Andy Jordan <andy.jordan@microsoft.com>
Date: Tue, 29 Nov 2022 12:36:56 -0800
Subject: [PATCH] Set max depth for JSON serializer to mitigate known DOS
 vulnerability

The other option is to update Newtonsoft.Json, which now also sets the
maximum depth by default, but this mitigates without having to update.
---
 src/JsonRpc/Serialization/SerializerBase.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/JsonRpc/Serialization/SerializerBase.cs b/src/JsonRpc/Serialization/SerializerBase.cs
index 868be57c6..b50131e13 100644
--- a/src/JsonRpc/Serialization/SerializerBase.cs
+++ b/src/JsonRpc/Serialization/SerializerBase.cs
@@ -19,7 +19,7 @@ protected virtual JsonSerializer CreateSerializer()
 
         protected virtual JsonSerializerSettings CreateSerializerSettings()
         {
-            var settings = JsonConvert.DefaultSettings != null ? JsonConvert.DefaultSettings() : new JsonSerializerSettings();
+            var settings = JsonConvert.DefaultSettings != null ? JsonConvert.DefaultSettings() : new JsonSerializerSettings { MaxDepth = 128 };
             AddOrReplaceConverters(settings.Converters);
             return _settings = settings;
         }