Skip to content
This repository was archived by the owner on Dec 24, 2022. It is now read-only.

Security fix: Explicitly specified __type should not be even activated when not appropriate #447

Merged
merged 1 commit into from
Apr 25, 2015
Merged

Security fix: Explicitly specified __type should not be even activated when not appropriate #447

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 18 additions & 19 deletions src/ServiceStack.Text/Common/DeserializeTypeRefJson.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,37 +91,36 @@ internal static object StringToType(
var explicitTypeName = Serializer.ParseString(propertyValueStr);
var explicitType = AssemblyUtils.FindType(explicitTypeName);

if (explicitType != null && !explicitType.IsInterface() && !explicitType.IsAbstract())
// let's do the type safety checks first before we even attempt to create
// a type instance
if (explicitType == null || explicitType.IsInterface() || explicitType.IsAbstract())
{
instance = explicitType.CreateInstance();
Tracer.Instance.WriteWarning("Could not find type: " + propertyValueStr);
}

if (instance == null)
else if (!type.IsAssignableFrom(explicitType))
{
Tracer.Instance.WriteWarning("Could not find type: " + propertyValueStr);
Tracer.Instance.WriteWarning("Could not assign type: " + propertyValueStr);
}
else
{
//If __type info doesn't match, ignore it.
if (!type.InstanceOfType(instance))
{
instance = null;
}
else
instance = explicitType.CreateInstance();
}

if (instance != null)
{
var derivedType = instance.GetType();
if (derivedType != type)
{
var derivedType = instance.GetType();
if (derivedType != type)
var derivedTypeConfig = new TypeConfig(derivedType);
var map = DeserializeTypeRef.GetTypeAccessorMap(derivedTypeConfig, Serializer);
if (map != null)
{
var derivedTypeConfig = new TypeConfig(derivedType);
var map = DeserializeTypeRef.GetTypeAccessorMap(derivedTypeConfig, Serializer);
if (map != null)
{
typeAccessorMap = map;
}
typeAccessorMap = map;
}
}
}


Serializer.EatItemSeperatorOrMapEndChar(strType, ref index);
continue;
}
Expand Down
36 changes: 16 additions & 20 deletions src/ServiceStack.Text/Common/DeserializeTypeRefJsv.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,37 +45,33 @@ internal static object StringToType(
var explicitTypeName = Serializer.ParseString(propertyValueStr);
var explicitType = AssemblyUtils.FindType(explicitTypeName);

if (explicitType != null && !explicitType.IsInterface() && !explicitType.IsAbstract())
if (explicitType == null || explicitType.IsInterface() || explicitType.IsAbstract())
{
instance = explicitType.CreateInstance();
Tracer.Instance.WriteWarning("Could not find type: " + propertyValueStr);
}

if (instance == null)
else if (!type.IsAssignableFrom(explicitType))
{
Tracer.Instance.WriteWarning("Could not find type: " + propertyValueStr);
Tracer.Instance.WriteWarning("Could not assign type: " + propertyValueStr);
}
else
{
//If __type info doesn't match, ignore it.
if (!type.InstanceOfType(instance))
{
instance = null;
}
else
instance = explicitType.CreateInstance();
}

if (instance != null)
{
var derivedType = instance.GetType();
if (derivedType != type)
{
var derivedType = instance.GetType();
if (derivedType != type)
var derivedTypeConfig = new TypeConfig(derivedType);
var map = DeserializeTypeRef.GetTypeAccessorMap(derivedTypeConfig, Serializer);
if (map != null)
{
var derivedTypeConfig = new TypeConfig(derivedType);
var map = DeserializeTypeRef.GetTypeAccessorMap(derivedTypeConfig, Serializer);
if (map != null)
{
typeAccessorMap = map;
}
typeAccessorMap = map;
}
}
}

//Serializer.EatItemSeperatorOrMapEndChar(strType, ref index);
if (index != strType.Length) index++;

Expand Down
22 changes: 22 additions & 0 deletions tests/ServiceStack.Text.Tests/JsonTests/PolymorphicInstanceTest.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,5 +44,27 @@ public void Can_deserialise_polymorphic_list_exact_with_no_side_effect_for_bad_t

}

[Test]
public void Should_not_even_instantiate_incorrect_type()
{
var json = @"{""__type"":"""
+ typeof(TestClass).ToTypeString() + @""", ""Name"":""Fido""}";
var dog = JsonSerializer.DeserializeFromString<Dog>(

json);

Assert.IsFalse(TestClass.Called);
}

public class TestClass
{
public static bool Called { get; set; }

public TestClass()
{
Called = true;
}
}

}
}