.NET JSON Serialization and deserialization flavoured with some inheritance
This content has 4 years. Some of the information in this post may be out of date or no longer work. Please, read this page keeping its age in your mind.Imagine, you have a base class. It can have a base property in it. To keep OOP principles in mind, you are creating a derived class by of it called “InheritedClass” And you are defining a container class, which holds an instance of a BaseClass or an InheritedClass. You are defining a property with BaseClass type. It will fit to InheritedClass too. If you are casting your object, the PlusProperty’s value never gets lost, because the framework allocates the memory for an InheritedClass. But what about, if you are serialize this object, and then deserialize it back? What do you think, what will be the result of this program? This code snippet gives the following result: That is because JSON does not include type names when serializing and deserializing an object. You can set TypeNameHandling = All for your JsonSerializerSettings, but it is highly unrecommended by Microsoft, because it can lead you into security issues, allows attackers remote code execution. Output: ” Insecure deserializers are vulnerable when deserializing untrusted data. An attacker could modify the serialized data to include unexpected types to inject objects with malicious side effects. An attack against an insecure deserializer could, for example, execute commands on the underlying operating system, communicate over the network, or delete files. ” More details at: https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca2326
.NET Core: Type serialization denied
This content has 4 years. Some of the information in this post may be out of date or no longer work. Please, read this page keeping its age in your mind.When trying to return with a complex object in .NET Core API, which has a Type property in it, the serializer gives the following exception : Passing Type, DataSet, DataTable through the JSON or XML serializer gives possibility to remote code execution for attackers. More information available at https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/dataset-datatable-dataview/security-guidance Workaround:Declare an enumeration for your types (ex: enum { string, int, etc }) you can parse the value for the requested type explicitly.
Hi, I am András,
I am a seasoned software engineer from Budapest, Hungary with a strong focus on mobile app development using .NET MAUI and Xamarin.Forms. My expertise also extends to website building for my happy customers and other complex system designing. I am passionate about developing well-organized, maintainable software solutions.