在Newtonsoft Json中使用TypeName处理警告 [英] TypeNameHandling caution in Newtonsoft Json
问题描述
在此链接上,在备注部分中提到:
On this link, in remarks section it's mentioned that:
当您的应用程序从外部源反序列化JSON时,应谨慎使用
TypeNameHandling
.反序列化除TypeNameHandling.None
以外的其他值时,应使用自定义的SerializationBinder
验证传入的类型.
TypeNameHandling
should be used with caution when your application deserializes JSON from an external source. Incoming types should be validated with a customSerializationBinder
when deserializing with a value other thanTypeNameHandling.None
.
在什么情况下,如果使用TypeNameHandling.All
进行序列化/反序列化,来自外部来源的JSON会有害吗?一个工作的例子,将不胜感激.
In what cases JSON from external source would be harmful if serialized/deserialized with TypeNameHandling.All
? A working example would be appreciated.
推荐答案
在使用TypeNameHandling.All
进行反序列化并且不使用SerializationBinder进行检查时,json.net将尝试创建JSON中作为元数据出现的类型的实例. >
When deserialize with TypeNameHandling.All
and without a SerializationBinder checks json.net will try to create a instace of the type that comes as metadata in the JSON.
public class Car
{
public string Maker { get; set; }
public string Model { get; set; }
}
{
"$type": "Car",
"Maker": "Ford",
"Model": "Explorer"
} //create a Car and set property values
但是攻击者可以向您发送代码或框架中存在的危险类型.
But an attacker could send you dangerous types that exist in your code or in the framework.
即来自此处 System.CodeDom.Compiler.TempFileCollection
是可序列化的类,其用途是维护由编译过程产生的临时文件列表,并在不再需要它们时将其删除.为了确保删除文件,该类实现了一个终结器,该终结器将在由垃圾收集器清理对象时调用.攻击者将能够构造此类的序列化版本,该版本将其内部文件集合指向受害系统上的任何文件.将在反序列化后的某个时候将其删除,而不会反序列化应用程序进行任何交互.
i.e. from here System.CodeDom.Compiler.TempFileCollection
is a serializable class whose purpose is to maintain a list of temporary files which resulted from a compilation process and delete them when they are no longer needed. To ensure that the files are deleted the class implements a finalizer that will be called when the object is being cleaned up by the Garbage Collector. An attacker would be able to construct a serialized version of this class which pointed its internal file collection to any file on a victims system. This will be deleted at some point after deserialization without any interaction from the deserializing application.
[Serializable]
public class TempFileCollection
{
private Hashtable files;
// Other stuff...
~TempFileCollection()
{
if (KeepFiles) {return}
foreach (string file in files.Keys)
{
File.Delete(file);
}
}
}
{
"$type": "System.CodeDom.Compiler.TempFileCollection",
"BasePath": "%SYSTEMDRIVE",
"KeepFiles": "False",
"TempDir": "%SYSTEMROOT%"
} // or something like this, I just guessing but you got the idea
这篇关于在Newtonsoft Json中使用TypeName处理警告的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!