From 7fd2219f194a9ef2a8901bb131c5fa12272305ce Mon Sep 17 00:00:00 2001
From: Andy Jordan <2226434+andschwa@users.noreply.github.com>
Date: Fri, 2 Dec 2022 11:31:07 -0800
Subject: [PATCH] Set max depth for JSON serializer to mitigate known DOS
 vulnerability (#902)

The other option is to update Newtonsoft.Json, which now also sets the
maximum depth by default, but this mitigates without having to update.
---
 src/JsonRpc/Serialization/SerializerBase.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/JsonRpc/Serialization/SerializerBase.cs b/src/JsonRpc/Serialization/SerializerBase.cs
index 868be57c6..b50131e13 100644
--- a/src/JsonRpc/Serialization/SerializerBase.cs
+++ b/src/JsonRpc/Serialization/SerializerBase.cs
@@ -19,7 +19,7 @@ protected virtual JsonSerializer CreateSerializer()
 
         protected virtual JsonSerializerSettings CreateSerializerSettings()
         {
-            var settings = JsonConvert.DefaultSettings != null ? JsonConvert.DefaultSettings() : new JsonSerializerSettings();
+            var settings = JsonConvert.DefaultSettings != null ? JsonConvert.DefaultSettings() : new JsonSerializerSettings { MaxDepth = 128 };
             AddOrReplaceConverters(settings.Converters);
             return _settings = settings;
         }