Use safe default settings for Newtonsoft.Json 12.X and below

Setting `JsonSerializerSettings.MaxDepth` manually for custom serializing options to avoid requiring to upgrade Newtonsoft.Json to 13.0.1 version where GHSA-5crp-9r3c-p9vr is not present. Relates to #2468
HangfireIO · Nov 26, 2024 · bc48bae · bc48bae
1 parent 484594c
commit bc48bae
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/src/Hangfire.Core/Common/SerializationHelper.cs b/src/Hangfire.Core/Common/SerializationHelper.cs
@@ -216,6 +216,7 @@ internal static JsonSerializerSettings GetInternalSettings()
             serializerSettings.DefaultValueHandling = DefaultValueHandling.IgnoreAndPopulate;
             serializerSettings.NullValueHandling = NullValueHandling.Ignore;
             serializerSettings.CheckAdditionalContent = true; // Default option in JsonConvert.Deserialize method
+            serializerSettings.MaxDepth = 128;
 #if NETSTANDARD2_0
             serializerSettings.SerializationBinder = new TypeHelperSerializationBinder();
 #else
@@ -234,6 +235,7 @@ private static JsonSerializerSettings GetLegacyTypedSerializerSettings()
         {
             var serializerSettings = new JsonSerializerSettings();
             serializerSettings.TypeNameHandling = TypeNameHandling.Objects;
+            serializerSettings.MaxDepth = 128;
 
             SetSimpleTypeNameAssemblyFormat(serializerSettings);