問題描述

在 this 鏈接上，在備注部分提到:

On this link, in remarks section it's mentioned that:

TypeNameHandling.使用 TypeNameHandling.None 以外的值進行反序列化時，應使用自定義 SerializationBinder 驗證傳入類型.

TypeNameHandling should be used with caution when your application deserializes JSON from an external source. Incoming types should be validated with a custom SerializationBinder when deserializing with a value other than TypeNameHandling.None.

在什么情況下，如果使用 TypeNameHandling.All 序列化/反序列化來自外部源的 JSON 會有害?一個工作示例將不勝感激.

In what cases JSON from external source would be harmful if serialized/deserialized with TypeNameHandling.All? A working example would be appreciated.

推薦答案

當使用 TypeNameHandling.All 反序列化并且沒有 SerializationBinder 檢查時，json.net 將嘗試創建一個類型為JSON 中的元數據.

When deserialize with TypeNameHandling.All and without a SerializationBinder checks json.net will try to create a instace of the type that comes as metadata in the JSON.

public class Car
{
    public string Maker { get; set; }
    public string Model { get; set; }
}

{
   "$type": "Car",
   "Maker": "Ford",
   "Model": "Explorer"
} //create a Car and set property values

但攻擊者可能會向您發送代碼或框架中存在的危險類型.

But an attacker could send you dangerous types that exist in your code or in the framework.

即來自 這里 System.CodeDom.Compiler.TempFileCollection 是一個可序列化的類，其目的是維護一個由編譯過程產生的臨時文件列表，并在不再需要它們時刪除它們.為了確保文件被刪除，該類實現了一個終結器，當垃圾收集器清理對象時將調用該終結器.攻擊者將能夠構建此類的序列化版本，將其內部文件集合指向受害者系統上的任何文件.這將在反序列化后的某個時間點被刪除，而無需與反序列化應用程序進行任何交互.

i.e. from here System.CodeDom.Compiler.TempFileCollection is a serializable class whose purpose is to maintain a list of temporary files which resulted from a compilation process and delete them when they are no longer needed. To ensure that the files are deleted the class implements a finalizer that will be called when the object is being cleaned up by the Garbage Collector. An attacker would be able to construct a serialized version of this class which pointed its internal file collection to any file on a victims system. This will be deleted at some point after deserialization without any interaction from the deserializing application.

    [Serializable]
    public class TempFileCollection
    {
       private Hashtable files;
       // Other stuff...

       ~TempFileCollection()
       {
         if (KeepFiles) {return}
         foreach (string file in files.Keys)
         {
            File.Delete(file);
         }
       }
    }

   {
       "$type": "System.CodeDom.Compiler.TempFileCollection",
       "BasePath": "%SYSTEMDRIVE",
       "KeepFiles": "False",
       "TempDir": "%SYSTEMROOT%"
    } // or something like this, I just guessing but you got the idea

這篇關于Newtonsoft Json 中的 TypeNameHandling 謹慎的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！