Change JsonReader and JsonSerializer default max depth to 128 (#2462)

JamesNK · web-flow · commit 7e77bbe1becc · 2021-01-31T15:57:06.000+13:00
diff --git a/Src/Newtonsoft.Json.Tests/Serialization/JsonSerializerTest.cs b/Src/Newtonsoft.Json.Tests/Serialization/JsonSerializerTest.cs
@@ -7995,5 +7995,46 @@ public void NullableDoubleEmptyValue()
                 () => JsonConvert.DeserializeObject<EmptyJsonValueTestClass>("{ A: \"\", B: 1, C: 123, D: 1.23, E: , F: null }"),
                 "Unexpected character encountered while parsing value: ,. Path 'E', line 1, position 36.");
         }
+
+        [Test]
+        public void SetMaxDepth_DepthExceeded()
+        {
+            JsonTextReader reader = new JsonTextReader(new StringReader("[[['text']]]"));
+            Assert.AreEqual(128, reader.MaxDepth);
+
+            JsonSerializerSettings settings = new JsonSerializerSettings();
+            Assert.AreEqual(128, settings.MaxDepth);
+            Assert.AreEqual(false, settings._maxDepthSet);
+
+            // Default should be the same
+            Assert.AreEqual(reader.MaxDepth, settings.MaxDepth);
+
+            settings.MaxDepth = 2;
+            Assert.AreEqual(2, settings.MaxDepth);
+            Assert.AreEqual(true, settings._maxDepthSet);
+
+            JsonSerializer serializer = JsonSerializer.Create(settings);
+            Assert.AreEqual(2, serializer.MaxDepth);
+
+            ExceptionAssert.Throws<JsonReaderException>(
+                () => serializer.Deserialize(reader),
+                "The reader's MaxDepth of 2 has been exceeded. Path '[0][0]', line 1, position 3.");
+        }
+
+        [Test]
+        public void SetMaxDepth_DepthNotExceeded()
+        {
+            JsonTextReader reader = new JsonTextReader(new StringReader("['text']"));
+            JsonSerializerSettings settings = new JsonSerializerSettings();
+
+            settings.MaxDepth = 2;
+
+            JsonSerializer serializer = JsonSerializer.Create(settings);
+            Assert.AreEqual(2, serializer.MaxDepth);
+
+            serializer.Deserialize(reader);
+
+            Assert.AreEqual(128, reader.MaxDepth);
+        }
     }
 }
diff --git a/Src/Newtonsoft.Json/JsonReader.cs b/Src/Newtonsoft.Json/JsonReader.cs
@@ -227,6 +227,8 @@ public string? DateFormatString
 
         /// <summary>
         /// Gets or sets the maximum depth allowed when reading JSON. Reading past this depth will throw a <see cref="JsonReaderException"/>.
+        /// A null value means there is no maximum. 
+        /// The default value is <c>128</c>.
         /// </summary>
         public int? MaxDepth
         {
@@ -327,6 +329,7 @@ protected JsonReader()
             _dateTimeZoneHandling = DateTimeZoneHandling.RoundtripKind;
             _dateParseHandling = DateParseHandling.DateTime;
             _floatParseHandling = FloatParseHandling.Double;
+            _maxDepth = 128;
 
             CloseInput = true;
         }
diff --git a/Src/Newtonsoft.Json/JsonSerializer.cs b/Src/Newtonsoft.Json/JsonSerializer.cs
@@ -514,7 +514,7 @@ public virtual CultureInfo Culture
         /// <summary>
         /// Gets or sets the maximum depth allowed when reading JSON. Reading past this depth will throw a <see cref="JsonReaderException"/>.
         /// A null value means there is no maximum.
-        /// The default value is <c>null</c>.
+        /// The default value is <c>128</c>.
         /// </summary>
         public virtual int? MaxDepth
         {
diff --git a/Src/Newtonsoft.Json/JsonSerializerSettings.cs b/Src/Newtonsoft.Json/JsonSerializerSettings.cs
@@ -61,6 +61,7 @@ public class JsonSerializerSettings
         internal static readonly CultureInfo DefaultCulture;
         internal const bool DefaultCheckAdditionalContent = false;
         internal const string DefaultDateFormatString = @"yyyy'-'MM'-'dd'T'HH':'mm':'ss.FFFFFFFK";
+        internal const int DefaultMaxDepth = 128;
 
         internal Formatting? _formatting;
         internal DateFormatHandling? _dateFormatHandling;
@@ -325,11 +326,11 @@ public string DateFormatString
         /// <summary>
         /// Gets or sets the maximum depth allowed when reading JSON. Reading past this depth will throw a <see cref="JsonReaderException"/>.
         /// A null value means there is no maximum.
-        /// The default value is <c>null</c>.
+        /// The default value is <c>128</c>.
         /// </summary>
         public int? MaxDepth
         {
-            get => _maxDepth;
+            get => _maxDepthSet ? _maxDepth : DefaultMaxDepth;
             set
             {
                 if (value <= 0)

Original file line number	Diff line number	Diff line change
`@@ -227,6 +227,8 @@ public string? DateFormatString`
`227`	`227`
`228`	`228`	`/// <summary>`
`229`	`229`	`/// Gets or sets the maximum depth allowed when reading JSON. Reading past this depth will throw a <see cref="JsonReaderException"/>.`
	`230`	`+ /// A null value means there is no maximum.`
	`231`	`+ /// The default value is <c>128</c>.`
`230`	`232`	`/// </summary>`
`231`	`233`	`public int? MaxDepth`
`232`	`234`	`{`
`@@ -327,6 +329,7 @@ protected JsonReader()`
`327`	`329`	`_dateTimeZoneHandling = DateTimeZoneHandling.RoundtripKind;`
`328`	`330`	`_dateParseHandling = DateParseHandling.DateTime;`
`329`	`331`	`_floatParseHandling = FloatParseHandling.Double;`
	`332`	`+ _maxDepth = 128;`
`330`	`333`
`331`	`334`	`CloseInput = true;`
`332`	`335`	`}`
Original file line number	Diff line number	Diff line change
`@@ -514,7 +514,7 @@ public virtual CultureInfo Culture`
`514`	`514`	`/// <summary>`
`515`	`515`	`/// Gets or sets the maximum depth allowed when reading JSON. Reading past this depth will throw a <see cref="JsonReaderException"/>.`
`516`	`516`	`/// A null value means there is no maximum.`
`517`		`- /// The default value is <c>null</c>.`
	`517`	`+ /// The default value is <c>128</c>.`
`518`	`518`	`/// </summary>`
`519`	`519`	`public virtual int? MaxDepth`
`520`	`520`	`{`