Is it possible to set Json.Net to ignore $type?

前端 未结 2 998
野的像风
野的像风 2021-01-18 03:31

Watching this video on json deserialization attacks and it shows this bit of json that can be used to trigger arbitrary code execution on any application that deserializes i

2条回答
  •  隐瞒了意图╮
    2021-01-18 03:42

    "$type" information is only written when TypeNameHandling is modified to something other than TypeNameHandling.None -- which is the default. If you never change the value, "$type" information is never emitted.

    Similarly "$type" properties are ignored on deserialization when TypeNameHandling = TypeNameHandling.None (which is, again, the default), as is stated in the docs:

    // for security TypeNameHandling is required when deserializing
    Stockholder newStockholder =
      JsonConvert.DeserializeObject(jsonTypeNameAuto, new JsonSerializerSettings
    {
        TypeNameHandling = TypeNameHandling.Auto
    });
    

    If nothing in your code (or in class libraries used by your code) ever modifies TypeNameHandling to something other than TypeNameHandling.None (either via settings or attributes such as JsonPropertyAttribute.TypeNameHandling) then that code execution attack cannot work. (For more precise details on usages of Json.NET's serializer that are and are not vulnerable to this attack, see Alvaro Muñoz & Oleksandr Mirosh's blackhat paper.

    Also note that, if you are parsing with JToken.Parse() (or some similar static method like JObject.Parse()) rather than deserializing with JsonSerializer.Deserialize() then the presence of "$type" properties will simply result in such properties getting populated into the JToken hierarchy, since JToken.Parse() never invokes the serializer. If you nevertheless want to strip those"$type" properties after parsing, you can use JsonExtensions.RemoveTypeMetadata(this JToken root) from Deserialize string that was serialized with TypeNameHandling.All to do just that.

    That being said, if a collection was serialized by another application using TypeNameHandling.Arrays or TypeNameHandling.All then there will be an extra level of nesting in the JSON. To strip it when deserializing, see IgnoreCollectionTypeConverter from Strategies for migrating serialized Json.NET document between versions/formats or IgnoreArrayTypeConverter from Make Json.NET ignore $type if it's incompatible.

    Finally, if you are working with a 3rd party library that sets TypeNameHandling in attributes, you can disable that with a custom contract resolver as shown in How to disable TypeNameHandling when specified in attributes by using JsonSerializerSettings in Json.NET?.

    And if you're really concerned that somebody else in your team might enable TypeNameHandling, you could create a custom ISerializationBinder that throws an exception whenever an attempt is made to resolve a type or type name:

    public class DisallowSerializationBindingBinder : ISerializationBinder
    {
     #region ISerializationBinder Members
    
     public void BindToName(Type serializedType, out string assemblyName, out string typeName)
     {
      throw new JsonSerializationException("Binding of subtypes has been disabled");
     }
    
     public Type BindToType(string assemblyName, string typeName)
     {
      throw new JsonSerializationException("Binding of subtypes has been disabled");
     }
    
      #endregion
    }
    

    Then set it in JsonSerializerSettings as follows:

    var settings = new JsonSerializerSettings
    {
        SerializationBinder = new DisallowSerializationBindingBinder(),
    };
    

    And modify the settings globally as shown in Set default global json serializer settings (for a console app), How to set custom JsonSerializerSettings for Json.NET in MVC 4 Web API? (for ASP.NET Web API) or JsonSerializerSettings and Asp.Net Core (for asp.net core).

提交回复
热议问题