System.Text.Json doesn't deserialize IDictionary with TKey types other than string

[ekvalizer]

Description

System.Text.Json.Deserialize() cannot deserialize to IDictionary where TKey has type other than string.
I have following example:

       [Test]
        public void DictionaryTest()
        {
            var dic = new Dictionary<int, string>
            {
                {33, "190"},
                {55, "88"}
            };

            var json = JsonSerializer.Serialize(dic);

            var deserialized = JsonSerializer.Deserialize<IDictionary<int, string>>(json);
            Assert.IsNotNull(deserialized);
        }

This code above would throw exception System.InvalidCastException : Unable to cast object of type 'System.Collections.Generic.Dictionary2[System.String,System.String]' to type 'System.Collections.Generic.IDictionary2[System.Int32,System.String]'.

However if i only change IDictinary type to Dictionary it will work. It seems strange for me because similar example for ICollection<int> would work and i'll get List object.

Configuration

.net 5.0.100
Windows 10 18363.1198 (x64)

[GrabYourPitchforks]

FYI to JSON team: deserializing to a Dictionary<TKey, TValue> where TKey is typed as anything other than string could introduce a security vulnerability in the consuming application. This isn't a reason to avoid introducing this feature, but if we do introduce it we absolutely need to document its impact.

[layomia]

This was fixed for 6.0 in #42835. See that PR for more info. The workaround for 5.0 is to use another dictionary type such as Dictionary<,> as you noted.

---

@GrabYourPitchforks support for non-string dictionary keys was added in 5.0 (PR, design doc). This support is scoped to primitives such as DateTime, int etc. Unfortunately we have a bug in the feature that this issue calls out.

I've created a doc issue to provide security guidance about this feature: dotnet/docs#21724.

[layomia]

Reopening for servicing consideration in 5.0.

[layomia]

Fixed for 5.0.2 in #45449.