From bc48baedcc0ec5f15f2aac2c70168dce97d2077c Mon Sep 17 00:00:00 2001
From: Sergey Odinokov <odinserj@hangfire.io>
Date: Tue, 26 Nov 2024 09:45:43 +0700
Subject: [PATCH] Use safe default settings for Newtonsoft.Json 12.X and below

Setting `JsonSerializerSettings.MaxDepth` manually for custom serializing options to avoid requiring to upgrade Newtonsoft.Json to 13.0.1 version where https://github.com/advisories/GHSA-5crp-9r3c-p9vr is not present.
Relates to #2468
---
 src/Hangfire.Core/Common/SerializationHelper.cs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/Hangfire.Core/Common/SerializationHelper.cs b/src/Hangfire.Core/Common/SerializationHelper.cs
index 9747e854f..055952b35 100644
--- a/src/Hangfire.Core/Common/SerializationHelper.cs
+++ b/src/Hangfire.Core/Common/SerializationHelper.cs
@@ -216,6 +216,7 @@ internal static JsonSerializerSettings GetInternalSettings()
             serializerSettings.DefaultValueHandling = DefaultValueHandling.IgnoreAndPopulate;
             serializerSettings.NullValueHandling = NullValueHandling.Ignore;
             serializerSettings.CheckAdditionalContent = true; // Default option in JsonConvert.Deserialize method
+            serializerSettings.MaxDepth = 128;
 #if NETSTANDARD2_0
             serializerSettings.SerializationBinder = new TypeHelperSerializationBinder();
 #else
@@ -234,6 +235,7 @@ private static JsonSerializerSettings GetLegacyTypedSerializerSettings()
         {
             var serializerSettings = new JsonSerializerSettings();
             serializerSettings.TypeNameHandling = TypeNameHandling.Objects;
+            serializerSettings.MaxDepth = 128;
 
             SetSimpleTypeNameAssemblyFormat(serializerSettings);