Menu
On this link, in remarks section it's mentioned that:
TypeNameHandlingshould be used with caution when your application deserializes JSON from an external source. Incoming types should be validated with a customSerializationBinderwhen deserializing with a value other thanTypeNameHandling.None.
In what cases JSON from external source would be harmful if serialized/deserialized with TypeNameHandling.All? A working example would be appreciated.
856
This sample uses the TypeNameHandling setting to include type information when serializing JSON and read type information so that the create types are created when deserializing JSON.
This rule finds Newtonsoft.Json.TypeNameHandling values other than None. If you want to deserialize only when a Newtonsoft.Json.Serialization.ISerializationBinder is specified to restrict deserialized types, disable this rule and enable rules CA2327, CA2328, CA2329, and CA2330 instead. Use TypeNameHandling 's None value, if possible.
The JsonElement type provides APIs to convert JSON text to common .NET types. JsonDocument exposes a RootElement property. Starting in .NET 6, you can parse and build a mutable DOM from existing JSON payloads by using the JsonNode type and other types in the System.Text.Json.Nodes namespace. For more information, see Use JsonNode.
For example, Newtonsoft.Json accepts the following JSON: System.Text.Json only accepts property names and string values in double quotes because that format is required by the RFC 8259 specification and is the only format considered valid JSON.
When deserialize with TypeNameHandling.All and without a SerializationBinder checks json.net will try to create a instace of the type that comes as metadata in the JSON.
public class Car { public string Maker { get; set; } public string Model { get; set; } } { "$type": "Car", "Maker": "Ford", "Model": "Explorer" } //create a Car and set property values But an attacker could send you dangerous types that exist in your code or in the framework.
i.e. from here System.CodeDom.Compiler.TempFileCollection is a serializable class whose purpose is to maintain a list of temporary files which resulted from a compilation process and delete them when they are no longer needed. To ensure that the files are deleted the class implements a finalizer that will be called when the object is being cleaned up by the Garbage Collector. An attacker would be able to construct a serialized version of this class which pointed its internal file collection to any file on a victims system. This will be deleted at some point after deserialization without any interaction from the deserializing application.
[Serializable] public class TempFileCollection { private Hashtable files; // Other stuff... ~TempFileCollection() { if (KeepFiles) {return} foreach (string file in files.Keys) { File.Delete(file); } } } { "$type": "System.CodeDom.Compiler.TempFileCollection", "BasePath": "%SYSTEMDRIVE", "KeepFiles": "False", "TempDir": "%SYSTEMROOT%" } // or something like this, I just guessing but you got the idea If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
