-
public class ContractlessSample
{
public int MyProperty1 { get; set; }
public int MyProperty2 { get; set; }
}
var data = new ContractlessSample { MyProperty1 = 99, MyProperty2 = 9999 };
MessagePackSerializer.DefaultOptions = MessagePack.Resolvers.ContractlessStandardResolver.Options;
var bin = MessagePackSerializer.Serialize(data);Does this have risk of RCE like BinaryFormatter? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 3 replies
-
|
We expect Not safe are the |
Beta Was this translation helpful? Give feedback.
-
|
Is there a "safe" class that can deserialize bytes into an object (without providing any class)? |
Beta Was this translation helpful? Give feedback.
-
|
So long as the data being deserialized gets to specify the type to be deserialized, no, that's fundamentally unsafe, because the data can specify harmful data to be deserialized into a type that will interpret and execute on that harmful data. You safe options are to use something like the UnionAttribute, where you have a closed set of types that the data can ask for, or you can let the data specify the type itself and you have an allow-list in order to constrain the types. If you choose the latter, you can use a Typeless resolver in combination with deriving from the |
Beta Was this translation helpful? Give feedback.
-
[MessagePack.Union(0, typeof(FooClass))]
[MessagePack.Union(1, typeof(BarClass))]
public interface IUnionSample
{
}Is it possible to dynamically add types to this at runtime? |
Beta Was this translation helpful? Give feedback.
-
|
No. For that you'll need to write your own custom formatter for the |
Beta Was this translation helpful? Give feedback.
We expect
ContractlessStandardResolverto be safe.Not safe are the
TypelessContractlessStandardResolverandContractlessStandardResolverAllowPrivatevariants.