fix: DEFAULT_MAX_DEPTH = 512 (#690)

anthony-swirldslabs · web-flow · commit 7060326ac5fb · 2025-11-18T15:26:39.000-08:00
Signed-off-by: Anthony Petrov &lt;anthony@swirldslabs.com&gt;
diff --git a/pbj-core/pbj-runtime/src/main/java/com/hedera/pbj/runtime/Codec.java b/pbj-core/pbj-runtime/src/main/java/com/hedera/pbj/runtime/Codec.java
@@ -25,6 +25,16 @@ public interface Codec<T> {
      */
     int DEFAULT_MAX_SIZE = 2 * 1024 * 1024;
 
+    /**
+     * The default maximum depth of nested messages before the `parse()` method would error out.
+     * The current default value may be slightly high, and it would be ideal to lower it in the future.
+     * However, it's known that serialized data exists that may require a somewhat high value for maxDepth.
+     * Also, the current value is much safer than the previously used Integer.MAX_VALUE.
+     * Applications can always override the maxDepth by supplying an argument to the main `Codec.parse()` method.
+     * The default depth should not be increased beyond the current limit because of the safety concerns.
+     */
+    int DEFAULT_MAX_DEPTH = 512;
+
     /**
      * Parses an object from the {@link ReadableSequentialData} and returns it.
      * <p>
@@ -147,7 +157,7 @@ default T parse(@NonNull Bytes bytes, final boolean strictMode, final int maxDep
      */
     @NonNull
     default T parse(@NonNull ReadableSequentialData input) throws ParseException {
-        return parse(input, false, Integer.MAX_VALUE);
+        return parse(input, false, DEFAULT_MAX_DEPTH);
     }
 
     /**
@@ -175,7 +185,7 @@ default T parse(@NonNull Bytes bytes) throws ParseException {
      */
     @NonNull
     default T parseStrict(@NonNull ReadableSequentialData input) throws ParseException {
-        return parse(input, true, Integer.MAX_VALUE);
+        return parse(input, true, DEFAULT_MAX_DEPTH);
     }
 
     /**
