From 26555064dce0eed24b7393a335c1c3ed7a478bd4 Mon Sep 17 00:00:00 2001 From: Dmitry Dzygin Date: Tue, 13 Sep 2022 13:58:27 +0200 Subject: [PATCH 1/2] CompositeSerializationBinder: performing type check on generic type arguments --- .../CompositeSerializationBinder.cs | 25 +++++++++++++------ 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/Composite/Core/Serialization/CompositeSerializationBinder.cs b/Composite/Core/Serialization/CompositeSerializationBinder.cs index 987401fc4..0c563974e 100644 --- a/Composite/Core/Serialization/CompositeSerializationBinder.cs +++ b/Composite/Core/Serialization/CompositeSerializationBinder.cs @@ -45,19 +45,30 @@ public override Type BindToType(string assemblyName, string typeName) var type = base.BindToType(assemblyName, typeName); - if (!TypeIsSupported(assemblyName, typeName, type)) - { - throw new NotSupportedException($"Not supported object type '{typeName}'"); - } + VerityTypeIsSupported(new AssemblyName(assemblyName), typeName, type); return type; } - private bool TypeIsSupported(string assemblyName, string typeName, Type type) + private void VerityTypeIsSupported(AssemblyName assemblyName, string typeFullName, Type type) { - assemblyName = new AssemblyName(assemblyName).Name; + if (!TypeIsSupported(assemblyName, typeFullName, type)) + { + throw new NotSupportedException($"Not supported object type '{typeFullName}'"); + } - if (assemblyName == typeof(object).Assembly.GetName().Name /* "mscorlib" */) + if (type.IsGenericType) + { + foreach (var typeArgument in type.GetGenericArguments()) + { + VerityTypeIsSupported(typeArgument.Assembly.GetName(), typeArgument.FullName, typeArgument); + } + } + } + + private bool TypeIsSupported(AssemblyName assemblyName, string typeName, Type type) + { + if (assemblyName.Name == typeof(object).Assembly.GetName().Name /* "mscorlib" */) { var dotOffset = typeName.LastIndexOf(".", StringComparison.Ordinal); if (dotOffset > 0) From a68c8387b0acde5bfcb916130cfbb836e0500e76 Mon Sep 17 00:00:00 2001 From: Dmitry Dzygin Date: Mon, 26 Sep 2022 14:07:06 +0200 Subject: [PATCH 2/2] JSON deserialization settings: limiting MaxDepth to 128 --- Composite/Core/Serialization/CompositeJsonSerializer.cs | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/Composite/Core/Serialization/CompositeJsonSerializer.cs b/Composite/Core/Serialization/CompositeJsonSerializer.cs index c1f88eebe..9fa8fea2f 100644 --- a/Composite/Core/Serialization/CompositeJsonSerializer.cs +++ b/Composite/Core/Serialization/CompositeJsonSerializer.cs @@ -132,7 +132,8 @@ public static T Deserialize(string str) var obj = JsonConvert.DeserializeObject(str, new JsonSerializerSettings { TypeNameHandling = TypeNameHandling.Auto, - Binder = CompositeSerializationBinder.Instance + Binder = CompositeSerializationBinder.Instance, + MaxDepth = 128 }); return obj; @@ -168,7 +169,8 @@ public static T Deserialize(params string[] strs) var obj = JsonConvert.DeserializeObject(combinedObj.ToString(), new JsonSerializerSettings { TypeNameHandling = TypeNameHandling.Auto, - Binder = CompositeSerializationBinder.Instance + Binder = CompositeSerializationBinder.Instance, + MaxDepth = 128 }); return obj; @@ -184,7 +186,8 @@ public static object Deserialize(string str) var obj = JsonConvert.DeserializeObject(str, new JsonSerializerSettings { TypeNameHandling = TypeNameHandling.Objects, - Binder = CompositeSerializationBinder.Instance + Binder = CompositeSerializationBinder.Instance, + MaxDepth = 128 }); return obj;