Merge pull request litedb-org#2500 from JKamsker/feat/improved_deseri…

…alization_safety Added more blacklisted deserialization gadgets
jiuaizxc · Jun 19, 2024 · 5fc9cfc · 5fc9cfc
2 parents 148ad42 + 2564740
commit 5fc9cfc
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 10 deletions.
diff --git a/LiteDB/Client/Mapper/BsonMapper.Deserialize.cs b/LiteDB/Client/Mapper/BsonMapper.Deserialize.cs
@@ -177,13 +177,6 @@ public object Deserialize(Type type, BsonValue value)
                         throw LiteException.DataTypeNotAssignable(type.FullName, actualType.FullName);
                     }
 
-                    // avoid use of "System.Diagnostics.Process" in object type definition
-                    // using String test to work in .netstandard 1.3
-                    if (actualType.FullName.Equals("System.Diagnostics.Process", StringComparison.OrdinalIgnoreCase))
-                    {
-                        throw LiteException.AvoidUseOfProcess();
-                    }
-
                     type = actualType;
                 }
                 // when complex type has no definition (== typeof(object)) use Dictionary<string, object> to better set values

diff --git a/LiteDB/Client/Mapper/TypeNameBinder/DefaultTypeNameBinder.cs b/LiteDB/Client/Mapper/TypeNameBinder/DefaultTypeNameBinder.cs
@@ -1,4 +1,5 @@
 using System;
+using System.Collections.Generic;
 using System.Reflection;
 
 namespace LiteDB
@@ -7,12 +8,68 @@ public class DefaultTypeNameBinder : ITypeNameBinder
     {
         public static DefaultTypeNameBinder Instance { get; } = new DefaultTypeNameBinder();
 
+        /// <summary>
+        /// Contains all well known vulnerable types according to ysoserial.net
+        /// </summary>
+        private static readonly HashSet<string> _disallowedTypeNames = new HashSet<string>(StringComparer.OrdinalIgnoreCase)
+        {
+            "System.Workflow.ComponentModel.AppSettings",
+            "System.Core",
+            "WinRT.BaseActivationFactory",
+            "System.Data",
+            "System.Windows.Data.ObjectDataProvider",
+            "System.CodeDom.Compiler.CompilerResults",
+            "System.Collections.ArrayList",
+            "System.Diagnostics.Process",
+            "System.Diagnostics.ProcessStartInfo",
+            "System.Management.Automation",
+            "System.Windows.Markup.XamlReader",
+            "System.Web.Security.RolePrincipal",
+            "System.Security.Principal.WindowsIdentity",
+            "System.Security.Principal.WindowsPrincipal",
+            "Microsoft.VisualStudio.Text.Formatting.TextFormattingRunProperties",
+            "System.Drawing.Design.ToolboxItemContainer",
+            "Microsoft.IdentityModel.Claims.WindowsClaimsIdentity",
+            "System.Resources.ResXResourceReader",
+            "System.Resources.ResXResourceWriter",
+            "System.Windows.Forms",
+            "Microsoft.ApplicationId.Framework.InfiniteProgressPage",
+            "Microsoft.VisualBasic.Logging.FileLogTraceListener",
+            "Grpc.Core.Internal.UnmanagedLibrary",
+            "MongoDB.Libmongocrypt.LibraryLoader+WindowsLibrary",
+            "Xunit.Xunit1Executor",
+            "Apache.NMS.ActiveMQ.Commands.ActiveMQObjectMessage",
+            "Apache.NMS.ActiveMQ.Transport.Failover.FailoverTransport",
+            "Apache.NMS.ActiveMQ.Util.IdGenerator",
+            "Xunit.Sdk.TestFrameworkDiscoverer+PreserveWorkingFolder",
+            "Xunit.Xunit1AssemblyInfo",
+            "Amazon.Runtime.Internal.Util.OptimisticLockedTextFile",
+            "Microsoft.Azure.Cosmos.Query.Core.QueryPlan.QueryPartitionProvider",
+            "NLog.Internal.FileAppenders.SingleProcessFileAppender",
+            "NLog.Targets.FileTarget",
+            "Google.Apis.Util.Store.FileDataStore",
+        };
+
         private DefaultTypeNameBinder()
         {
         }
 
         public string GetName(Type type) => type.FullName + ", " + type.GetTypeInfo().Assembly.GetName().Name;
 
-        public Type GetType(string name) => Type.GetType(name);
+        public Type GetType(string name)
+        {
+            var type = Type.GetType(name);
+            if (type == null)
+            {
+                return null;
+            }
+
+            if (_disallowedTypeNames.Contains(type.FullName))
+            {
+                throw LiteException.IllegalDeserializationType(type.FullName);
+            }
+
+            return type;
+        }
     }
 }
diff --git a/LiteDB/Utils/LiteException.cs b/LiteDB/Utils/LiteException.cs
@@ -56,6 +56,7 @@ public class LiteException : Exception
         public const int AVOID_USE_OF_PROCESS = 215;
         public const int NOT_ENCRYPTED = 216;
         public const int INVALID_PASSWORD = 217;
+        public const int ILLEGAL_DESERIALIZATION_TYPE = 218;
 
         public const int INVALID_DATAFILE_STATE = 999;
 
@@ -338,9 +339,9 @@ internal static LiteException InvalidPassword()
             return new LiteException(INVALID_PASSWORD, "Invalid password.");
         }
 
-        internal static LiteException AvoidUseOfProcess()
+        internal static LiteException IllegalDeserializationType(string typeName)
         {
-            return new LiteException(AVOID_USE_OF_PROCESS, $"LiteDB do not accept System.Diagnostics.Process class in deserialize mapper");
+            return new LiteException(ILLEGAL_DESERIALIZATION_TYPE, $"Illegal deserialization type: {typeName}");
         }
 
         internal static LiteException InvalidDatafileState(string message)