Merge pull request ServiceStack#447 from voloda/DeserializeActivationFix

mythz · mythz · commit 18972bd85046 · 2015-04-26T03:53:33.000+09:30
Security fix: Explicitly specified __type should not be even activated when not appropriate
diff --git a/src/ServiceStack.Text/Common/DeserializeTypeRefJson.cs b/src/ServiceStack.Text/Common/DeserializeTypeRefJson.cs
@@ -91,37 +91,36 @@ internal static object StringToType(
                     var explicitTypeName = Serializer.ParseString(propertyValueStr);
                     var explicitType = AssemblyUtils.FindType(explicitTypeName);
 
-                    if (explicitType != null && !explicitType.IsInterface() && !explicitType.IsAbstract())
+                    // let's do the type safety checks first before we even attempt to create
+                    // a type instance
+                    if (explicitType == null || explicitType.IsInterface() || explicitType.IsAbstract())
                     {
-                        instance = explicitType.CreateInstance();
+                        Tracer.Instance.WriteWarning("Could not find type: " + propertyValueStr);
                     }
-
-                    if (instance == null)
+                    else if (!type.IsAssignableFrom(explicitType))
                     {
-                        Tracer.Instance.WriteWarning("Could not find type: " + propertyValueStr);
+                        Tracer.Instance.WriteWarning("Could not assign type: " + propertyValueStr);
                     }
                     else
                     {
-                        //If __type info doesn't match, ignore it.
-                        if (!type.InstanceOfType(instance))
-                        {
-                            instance = null;
-                        }
-                        else
+                        instance = explicitType.CreateInstance();
+                    }
+
+                    if (instance != null)
+                    {
+                        var derivedType = instance.GetType();
+                        if (derivedType != type)
                         {
-                            var derivedType = instance.GetType();
-                            if (derivedType != type)
+                            var derivedTypeConfig = new TypeConfig(derivedType);
+                            var map = DeserializeTypeRef.GetTypeAccessorMap(derivedTypeConfig, Serializer);
+                            if (map != null)
                             {
-                                var derivedTypeConfig = new TypeConfig(derivedType);
-                                var map = DeserializeTypeRef.GetTypeAccessorMap(derivedTypeConfig, Serializer);
-                                if (map != null)
-                                {
-                                    typeAccessorMap = map;
-                                }
+                                typeAccessorMap = map;
                             }
                         }
                     }
 
+
                     Serializer.EatItemSeperatorOrMapEndChar(strType, ref index);
                     continue;
                 }
diff --git a/src/ServiceStack.Text/Common/DeserializeTypeRefJsv.cs b/src/ServiceStack.Text/Common/DeserializeTypeRefJsv.cs
@@ -45,37 +45,33 @@ internal static object StringToType(
                     var explicitTypeName = Serializer.ParseString(propertyValueStr);
                     var explicitType = AssemblyUtils.FindType(explicitTypeName);
 
-                    if (explicitType != null && !explicitType.IsInterface() && !explicitType.IsAbstract())
+                    if (explicitType == null || explicitType.IsInterface() || explicitType.IsAbstract())
                     {
-                        instance = explicitType.CreateInstance();
+                        Tracer.Instance.WriteWarning("Could not find type: " + propertyValueStr);
                     }
-
-                    if (instance == null)
+                    else if (!type.IsAssignableFrom(explicitType))
                     {
-                        Tracer.Instance.WriteWarning("Could not find type: " + propertyValueStr);
+                        Tracer.Instance.WriteWarning("Could not assign type: " + propertyValueStr);
                     }
                     else
                     {
-                        //If __type info doesn't match, ignore it.
-                        if (!type.InstanceOfType(instance))
-                        {
-                            instance = null;
-                        }
-                        else
+                        instance = explicitType.CreateInstance();
+                    }
+
+                    if (instance != null)
+                    {
+                        var derivedType = instance.GetType();
+                        if (derivedType != type)
                         {
-                            var derivedType = instance.GetType();
-                            if (derivedType != type)
+                            var derivedTypeConfig = new TypeConfig(derivedType);
+                            var map = DeserializeTypeRef.GetTypeAccessorMap(derivedTypeConfig, Serializer);
+                            if (map != null)
                             {
-                                var derivedTypeConfig = new TypeConfig(derivedType);
-                                var map = DeserializeTypeRef.GetTypeAccessorMap(derivedTypeConfig, Serializer);
-                                if (map != null)
-                                {
-                                    typeAccessorMap = map;
-                                }
+                                typeAccessorMap = map;
                             }
                         }
                     }
-
+                    
                     //Serializer.EatItemSeperatorOrMapEndChar(strType, ref index);
                     if (index != strType.Length) index++;
 
diff --git a/tests/ServiceStack.Text.Tests/JsonTests/PolymorphicInstanceTest.cs b/tests/ServiceStack.Text.Tests/JsonTests/PolymorphicInstanceTest.cs
@@ -44,5 +44,27 @@ public void Can_deserialise_polymorphic_list_exact_with_no_side_effect_for_bad_t
 
 		}
 
+        [Test]
+	    public void Should_not_even_instantiate_incorrect_type()
+	    {
+            var json = @"{""__type"":"""
+                           + typeof(TestClass).ToTypeString() + @""", ""Name"":""Fido""}";
+            var dog = JsonSerializer.DeserializeFromString<Dog>(
+
+                    json);
+
+            Assert.IsFalse(TestClass.Called);
+	    }
+
+	    public class TestClass 
+	    {
+            public static bool Called { get; set; }
+
+	        public TestClass()
+	        {
+	            Called = true;
+	        }
+	    }
+
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -91,37 +91,36 @@ internal static object StringToType(`
`91`	`91`	`var explicitTypeName = Serializer.ParseString(propertyValueStr);`
`92`	`92`	`var explicitType = AssemblyUtils.FindType(explicitTypeName);`
`93`	`93`
`94`		`- if (explicitType != null && !explicitType.IsInterface() && !explicitType.IsAbstract())`
	`94`	`+ // let's do the type safety checks first before we even attempt to create`
	`95`	`+ // a type instance`
	`96`	`+ if (explicitType == null \|\| explicitType.IsInterface() \|\| explicitType.IsAbstract())`
`95`	`97`	`{`
`96`		`- instance = explicitType.CreateInstance();`
	`98`	`+ Tracer.Instance.WriteWarning("Could not find type: " + propertyValueStr);`
`97`	`99`	`}`
`98`		`-`
`99`		`- if (instance == null)`
	`100`	`+ else if (!type.IsAssignableFrom(explicitType))`
`100`	`101`	`{`
`101`		`- Tracer.Instance.WriteWarning("Could not find type: " + propertyValueStr);`
	`102`	`+ Tracer.Instance.WriteWarning("Could not assign type: " + propertyValueStr);`
`102`	`103`	`}`
`103`	`104`	`else`
`104`	`105`	`{`
`105`		`- //If __type info doesn't match, ignore it.`
`106`		`- if (!type.InstanceOfType(instance))`
`107`		`- {`
`108`		`- instance = null;`
`109`		`- }`
`110`		`- else`
	`106`	`+ instance = explicitType.CreateInstance();`
	`107`	`+ }`
	`108`	`+`
	`109`	`+ if (instance != null)`
	`110`	`+ {`
	`111`	`+ var derivedType = instance.GetType();`
	`112`	`+ if (derivedType != type)`
`111`	`113`	`{`
`112`		`- var derivedType = instance.GetType();`
`113`		`- if (derivedType != type)`
	`114`	`+ var derivedTypeConfig = new TypeConfig(derivedType);`
	`115`	`+ var map = DeserializeTypeRef.GetTypeAccessorMap(derivedTypeConfig, Serializer);`
	`116`	`+ if (map != null)`
`114`	`117`	`{`
`115`		`- var derivedTypeConfig = new TypeConfig(derivedType);`
`116`		`- var map = DeserializeTypeRef.GetTypeAccessorMap(derivedTypeConfig, Serializer);`
`117`		`- if (map != null)`
`118`		`- {`
`119`		`- typeAccessorMap = map;`
`120`		`- }`
	`118`	`+ typeAccessorMap = map;`
`121`	`119`	`}`
`122`	`120`	`}`
`123`	`121`	`}`
`124`	`122`
	`123`	`+`
`125`	`124`	`Serializer.EatItemSeperatorOrMapEndChar(strType, ref index);`
`126`	`125`	`continue;`
`127`	`126`	`}`
Original file line number	Diff line number	Diff line change
`@@ -45,37 +45,33 @@ internal static object StringToType(`
`45`	`45`	`var explicitTypeName = Serializer.ParseString(propertyValueStr);`
`46`	`46`	`var explicitType = AssemblyUtils.FindType(explicitTypeName);`
`47`	`47`
`48`		`- if (explicitType != null && !explicitType.IsInterface() && !explicitType.IsAbstract())`
	`48`	`+ if (explicitType == null \|\| explicitType.IsInterface() \|\| explicitType.IsAbstract())`
`49`	`49`	`{`
`50`		`- instance = explicitType.CreateInstance();`
	`50`	`+ Tracer.Instance.WriteWarning("Could not find type: " + propertyValueStr);`
`51`	`51`	`}`
`52`		`-`
`53`		`- if (instance == null)`
	`52`	`+ else if (!type.IsAssignableFrom(explicitType))`
`54`	`53`	`{`
`55`		`- Tracer.Instance.WriteWarning("Could not find type: " + propertyValueStr);`
	`54`	`+ Tracer.Instance.WriteWarning("Could not assign type: " + propertyValueStr);`
`56`	`55`	`}`
`57`	`56`	`else`
`58`	`57`	`{`
`59`		`- //If __type info doesn't match, ignore it.`
`60`		`- if (!type.InstanceOfType(instance))`
`61`		`- {`
`62`		`- instance = null;`
`63`		`- }`
`64`		`- else`
	`58`	`+ instance = explicitType.CreateInstance();`
	`59`	`+ }`
	`60`	`+`
	`61`	`+ if (instance != null)`
	`62`	`+ {`
	`63`	`+ var derivedType = instance.GetType();`
	`64`	`+ if (derivedType != type)`
`65`	`65`	`{`
`66`		`- var derivedType = instance.GetType();`
`67`		`- if (derivedType != type)`
	`66`	`+ var derivedTypeConfig = new TypeConfig(derivedType);`
	`67`	`+ var map = DeserializeTypeRef.GetTypeAccessorMap(derivedTypeConfig, Serializer);`
	`68`	`+ if (map != null)`
`68`	`69`	`{`
`69`		`- var derivedTypeConfig = new TypeConfig(derivedType);`
`70`		`- var map = DeserializeTypeRef.GetTypeAccessorMap(derivedTypeConfig, Serializer);`
`71`		`- if (map != null)`
`72`		`- {`
`73`		`- typeAccessorMap = map;`
`74`		`- }`
	`70`	`+ typeAccessorMap = map;`
`75`	`71`	`}`
`76`	`72`	`}`
`77`	`73`	`}`
`78`		`-`
	`74`	`+`
`79`	`75`	`//Serializer.EatItemSeperatorOrMapEndChar(strType, ref index);`
`80`	`76`	`if (index != strType.Length) index++;`
`81`	`77`