Skip to content

Commit

Permalink
Merge branch 'dev'
Browse files Browse the repository at this point in the history
  • Loading branch information
Arkatufus committed Aug 17, 2021
2 parents 1f40195 + e3b1a3d commit 63cb41e
Show file tree
Hide file tree
Showing 18 changed files with 255 additions and 70 deletions.
30 changes: 30 additions & 0 deletions RELEASE_NOTES.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,33 @@
### 0.11.1 August 17 2021 ####
* Add [unsafe deserialization type blacklist](https://github.com/akkadotnet/Hyperion/pull/242)
* Bump [Akka version from 1.4.21 to 1.4.23](https://github.com/akkadotnet/Hyperion/pull/246)

We've added a deserialization safety check to block dangerous types from being deserialized.
This is done to add a layer of security from possible code injection and code execution attack.
Currently it is an all or nothing feature that can be turned on and off by using the new `DisallowUnsafeTypes` flag inside `SerializerOptions` (defaults to true).

The unsafe types that are currently blocked are:
- System.Security.Claims.ClaimsIdentity
- System.Windows.Forms.AxHost.State
- System.Windows.Data.ObjectDataProvider
- System.Management.Automation.PSObject
- System.Web.Security.RolePrincipal
- System.IdentityModel.Tokens.SessionSecurityToken
- SessionViewStateHistoryItem
- TextFormattingRunProperties
- ToolboxItemContainer
- System.Security.Principal.WindowsClaimsIdentity
- System.Security.Principal.WindowsIdentity
- System.Security.Principal.WindowsPrincipal
- System.CodeDom.Compiler.TempFileCollection
- System.IO.FileSystemInfo
- System.Activities.Presentation.WorkflowDesigner
- System.Windows.ResourceDictionary
- System.Windows.Forms.BindingSource
- Microsoft.Exchange.Management.SystemManager.WinForms.ExchangeSettingsProvider
- System.Diagnostics.Process
- System.Management.IWbemClassObjectFreeThreaded

### 0.11.0 July 8 2021 ####
* [Fix array of user defined structs serialization failure](https://github.com/akkadotnet/Hyperion/pull/235)
* [Remove dynamic keyword usage from array serializer](https://github.com/akkadotnet/Hyperion/pull/139)
Expand Down
22 changes: 0 additions & 22 deletions build-system/linux-pr-validation.yaml

This file was deleted.

9 changes: 8 additions & 1 deletion build-system/windows-pr-validation.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,11 @@ jobs:
name: Windows
vmImage: 'windows-2019'
scriptFileName: build.cmd
scriptArgs: all
scriptArgs: all
- template: azure-pipeline.template.yaml
parameters:
name: 'linux_pr'
displayName: 'Linux PR Validation'
vmImage: 'ubuntu-18.04'
scriptFileName: ./build.sh
scriptArgs: all
7 changes: 4 additions & 3 deletions build.fsx
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ let output = __SOURCE_DIRECTORY__ @@ "bin"
let outputTests = __SOURCE_DIRECTORY__ @@ "TestResults"
let outputPerfTests = __SOURCE_DIRECTORY__ @@ "PerfResults"
let outputBinaries = output @@ "binaries"
let outputBinariesNet461 = outputBinaries @@ "net461"
let outputBinariesNet461 = outputBinaries @@ "net471"
let outputBinariesNetStandard = outputBinaries @@ "netstandard2.0"
let outputBinariesNet = outputBinaries @@ "net5.0"
let outputNuGet = output @@ "nuget"
Expand All @@ -52,7 +52,7 @@ let versionSuffix =
| str -> str

// Configuration values for tests
let testNetFrameworkVersion = "net461"
let testNetFrameworkVersion = "net471"
let testNetCoreVersion = "netcoreapp3.1"
let testNetVersion = "net5.0"

Expand Down Expand Up @@ -115,7 +115,8 @@ Target "RunTests" (fun _ ->
let projects =
match (isWindows) with
| true -> !! "./src/**/*.Tests.csproj"
| _ -> !! "./src/**/*.Tests.csproj" // if you need to filter specs for Linux vs. Windows, do it here
| _ -> !! "./src/**/*.Tests.csproj"
-- "./src/**/*.API.Tests.csproj" // if you need to filter specs for Linux vs. Windows, do it here

let runSingleProject project =
let arguments =
Expand Down
8 changes: 8 additions & 0 deletions src/Hyperion.API.Tests/CoreApiSpec.ApproveApi.approved.txt
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,10 @@ namespace Hyperion
public static readonly Hyperion.SerializerOptions Default;
[System.Obsolete]
public SerializerOptions(bool versionTolerance = false, bool preserveObjectReferences = false, System.Collections.Generic.IEnumerable<Hyperion.Surrogate> surrogates = null, System.Collections.Generic.IEnumerable<Hyperion.SerializerFactories.ValueSerializerFactory> serializerFactories = null, System.Collections.Generic.IEnumerable<System.Type> knownTypes = null, bool ignoreISerializable = false) { }
[System.Obsolete]
public SerializerOptions(bool versionTolerance, bool preserveObjectReferences, System.Collections.Generic.IEnumerable<Hyperion.Surrogate> surrogates, System.Collections.Generic.IEnumerable<Hyperion.SerializerFactories.ValueSerializerFactory> serializerFactories, System.Collections.Generic.IEnumerable<System.Type> knownTypes, bool ignoreISerializable, System.Collections.Generic.IEnumerable<System.Func<string, string>> packageNameOverrides) { }
public SerializerOptions(bool versionTolerance, bool preserveObjectReferences, System.Collections.Generic.IEnumerable<Hyperion.Surrogate> surrogates, System.Collections.Generic.IEnumerable<Hyperion.SerializerFactories.ValueSerializerFactory> serializerFactories, System.Collections.Generic.IEnumerable<System.Type> knownTypes, bool ignoreISerializable, System.Collections.Generic.IEnumerable<System.Func<string, string>> packageNameOverrides, bool disallowUnsafeTypes) { }
public Hyperion.SerializerOptions WithDisallowUnsafeType(bool disallowUnsafeType) { }
public Hyperion.SerializerOptions WithIgnoreSerializable(bool ignoreISerializable) { }
public Hyperion.SerializerOptions WithKnownTypes(System.Collections.Generic.IEnumerable<System.Type> knownTypes) { }
public Hyperion.SerializerOptions WithPackageNameOverrides(System.Collections.Generic.IEnumerable<System.Func<string, string>> packageNameOverrides) { }
Expand Down Expand Up @@ -350,6 +353,11 @@ namespace Hyperion.Internal
public string Contract { get; }
public bool ForceFullStates { get; }
}
public class EvilDeserializationException : System.Security.SecurityException
{
public EvilDeserializationException(string message, string typeString) { }
public string BadTypeString { get; }
}
[System.AttributeUsage(System.AttributeTargets.Property | System.AttributeTargets.Field | System.AttributeTargets.Parameter | System.AttributeTargets.All)]
public sealed class HtmlAttributeValueAttribute : System.Attribute
{
Expand Down
7 changes: 4 additions & 3 deletions src/Hyperion.API.Tests/Hyperion.API.Tests.csproj
Original file line number Diff line number Diff line change
@@ -1,22 +1,23 @@
<Project Sdk="Microsoft.NET.Sdk">
<Import Project="..\common.props" />
<Import Project="..\xunitSettings.props" />

<PropertyGroup>
<TargetFrameworks>net461;netcoreapp3.1;net5.0</TargetFrameworks>
<TargetFrameworks>$(NetFrameworkTestVersion);$(NetTestVersion);$(NetCoreTestVersion)</TargetFrameworks>

<IsPackable>false</IsPackable>
</PropertyGroup>

<ItemGroup>
<PackageReference Include="ApprovalTests" Version="5.5.0" />
<PackageReference Include="ApprovalTests" Version="5.7.0" />
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
<PackageReference Include="PublicApiGenerator" Version="10.2.0" />
<PackageReference Include="xunit" Version="$(XunitVersion)" />
<PackageReference Include="xunit.runner.visualstudio" Version="$(XunitRunnerVersion)">
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
<PrivateAssets>all</PrivateAssets>
</PackageReference>
<PackageReference Include="coverlet.collector" Version="3.0.3">
<PackageReference Include="coverlet.collector" Version="3.1.0">
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
<PrivateAssets>all</PrivateAssets>
</PackageReference>
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
<Project Sdk="Microsoft.NET.Sdk">
<Import Project="..\common.props" />
<Import Project="..\xunitSettings.props" />

<PropertyGroup>
<TargetFrameworks>net461;netcoreapp3.1;net5.0</TargetFrameworks>
<TargetFrameworks>$(NetFrameworkTestVersion);$(NetTestVersion);$(NetCoreTestVersion)</TargetFrameworks>

<IsPackable>false</IsPackable>
</PropertyGroup>
Expand All @@ -18,7 +19,7 @@
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
<PrivateAssets>all</PrivateAssets>
</PackageReference>
<PackageReference Include="coverlet.collector" Version="3.0.3">
<PackageReference Include="coverlet.collector" Version="3.1.0">
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
<PrivateAssets>all</PrivateAssets>
</PackageReference>
Expand Down
6 changes: 3 additions & 3 deletions src/Hyperion.Benchmarks/Hyperion.Benchmarks.csproj
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
<Project Sdk="Microsoft.NET.Sdk">

<Import Project="..\common.props" />
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>netcoreapp2.0</TargetFramework>
<TargetFrameworks>$(NetFrameworkTestVersion);$(NetTestVersion);$(NetCoreTestVersion)</TargetFrameworks>
<IsPackable>false</IsPackable> <!-- prevents it from being published as NuGet package -->
</PropertyGroup>

<ItemGroup>
<PackageReference Include="BenchmarkDotNet" Version="0.13.0" />
<PackageReference Include="BenchmarkDotNet" Version="0.13.1" />
</ItemGroup>

<ItemGroup>
Expand Down
1 change: 1 addition & 0 deletions src/Hyperion.Tests/ExpressionTests.cs
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@

using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Linq.Expressions;
Expand Down
19 changes: 11 additions & 8 deletions src/Hyperion.Tests/Hyperion.Tests.csproj
Original file line number Diff line number Diff line change
@@ -1,22 +1,30 @@
<Project Sdk="Microsoft.NET.Sdk">
<Import Project="..\common.props" />
<Import Project="..\xunitSettings.props" />

<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFrameworks>net461;netcoreapp3.1;net5.0</TargetFrameworks>
<TargetFrameworks>$(NetFrameworkTestVersion);$(NetTestVersion);$(NetCoreTestVersion)</TargetFrameworks>
<TargetLatestRuntimePatch>true</TargetLatestRuntimePatch>
<LangVersion>latest</LangVersion>
<StartupObject>Hyperion.Tests.Generator.Program</StartupObject>
</PropertyGroup>

<PropertyGroup Condition=" '$(TargetFramework)' == 'netcoreapp3.1' or '$(TargetFramework)' == 'net5.0' ">
<PropertyGroup Condition=" '$(TargetFramework)' == '$(NetCoreTestVersion)' or '$(TargetFramework)' == '$(NetTestVersion)' ">
<DefineConstants>$(DefineConstants);NETCOREAPP</DefineConstants>
</PropertyGroup>

<PropertyGroup Condition=" '$(TargetFramework)' == 'net461' ">
<PropertyGroup Condition=" '$(TargetFramework)' == '$(NetFrameworkTestVersion)' ">
<DefineConstants>$(DefineConstants);NETFX</DefineConstants>
</PropertyGroup>


<ItemGroup Condition="'$(TargetFramework)' == '$(NetFrameworkTestVersion)'">
<Reference Include="System.Drawing">
<Private>true</Private>
</Reference>
</ItemGroup>

<ItemGroup>
<PackageReference Include="FluentAssertions" Version="$(FluentAssertionsVersion)" />
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(TestSdkVersion)" />
Expand All @@ -30,9 +38,4 @@
<ProjectReference Include="..\Hyperion\Hyperion.csproj" />
</ItemGroup>

<ItemGroup Condition="'$(TargetFramework)' == 'net461'">
<Reference Include="System.Drawing">
<Private>true</Private>
</Reference>
</ItemGroup>
</Project>
26 changes: 26 additions & 0 deletions src/Hyperion.Tests/UnsafeDeserializationExclusionTests.cs
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
using System.IO;
using Hyperion.Extensions;
using Hyperion.Internal;
using Xunit;

namespace Hyperion.Tests
{
public class UnsafeDeserializationExclusionTests
{
[Fact]
public void CantDeserializeANaughtyType()
{
//System.Diagnostics.Process p = new Process();
var serializer = new Hyperion.Serializer();
var di =new System.IO.DirectoryInfo(@"c:\");

using (var stream = new MemoryStream())
{
serializer.Serialize(di, stream);
stream.Position = 0;
Assert.Throws<EvilDeserializationException>(() =>
serializer.Deserialize<DirectoryInfo>(stream));
}
}
}
}
Loading

0 comments on commit 63cb41e

Please sign in to comment.