Set max depth for JSON serializer to mitigate known DOS vulnerability (…

…#902) The other option is to update Newtonsoft.Json, which now also sets the maximum depth by default, but this mitigates without having to update.
OmniSharp · Dec 2, 2022 · 7fd2219 · 7fd2219
1 parent 974709d
commit 7fd2219
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/JsonRpc/Serialization/SerializerBase.cs b/src/JsonRpc/Serialization/SerializerBase.cs
@@ -19,7 +19,7 @@ protected virtual JsonSerializer CreateSerializer()
 
         protected virtual JsonSerializerSettings CreateSerializerSettings()
         {
-            var settings = JsonConvert.DefaultSettings != null ? JsonConvert.DefaultSettings() : new JsonSerializerSettings();
+            var settings = JsonConvert.DefaultSettings != null ? JsonConvert.DefaultSettings() : new JsonSerializerSettings { MaxDepth = 128 };
             AddOrReplaceConverters(settings.Converters);
             return _settings = settings;
         }