Add whitelist to ensure late-bound object types are only used to instantiate data types

Author: mythz

src/ServiceStack.Text/Common/DeserializeType.cs

@@ -92,6 +92,8 @@ public static Type ExtractType(string strType)
 
                 var type = JsConfig.TypeFinder(typeName);
 
+                JsWriter.AssertAllowedRuntimeType(type);
+
                 if (type == null)
                 {
                     Tracer.Instance.WriteWarning("Could not find type: " + typeName);
@@ -285,11 +287,38 @@ public static TypeAccessor Create(ITypeSerializer serializer, TypeConfig typeCon
             return new TypeAccessor
             {
                 PropertyType = propertyInfo.PropertyType,
-                GetProperty = serializer.GetParseFn(propertyInfo.PropertyType),
+                GetProperty = GetPropertyMethod(serializer, propertyInfo),
                 SetProperty = GetSetPropertyMethod(typeConfig, propertyInfo),
             };
         }
 
+        internal static ParseStringDelegate GetPropertyMethod(ITypeSerializer serializer, PropertyInfo propertyInfo)
+        {
+            var getPropertyFn = serializer.GetParseFn(propertyInfo.PropertyType);
+            if (propertyInfo.PropertyType == typeof(object) || 
+                propertyInfo.PropertyType.HasInterface(typeof(IEnumerable<object>)))
+            {
+                var declaringTypeNamespace = propertyInfo.DeclaringType?.Namespace;
+                if (declaringTypeNamespace == null || !JsConfig.AllowRuntimeTypeInTypesWithNamespaces.Contains(declaringTypeNamespace))
+                {
+                    return value =>
+                    {
+                        var hold = JsState.IsRuntimeType;
+                        try
+                        {
+                            JsState.IsRuntimeType = true;
+                            return getPropertyFn(value);
+                        }
+                        finally
+                        {
+                            JsState.IsRuntimeType = hold;
+                        }
+                    };
+                }
+            }
+            return getPropertyFn;
+        }
+
         private static SetPropertyDelegate GetSetPropertyMethod(TypeConfig typeConfig, PropertyInfo propertyInfo)
         {
             if (typeConfig.Type != propertyInfo.DeclaringType)

src/ServiceStack.Text/Common/DeserializeTypeRefJson.cs

@@ -101,6 +101,7 @@ internal static object StringToType(
                     }
                     else
                     {
+                        JsWriter.AssertAllowedRuntimeType(explicitType);
                         instance = explicitType.CreateInstance();
                     }
 
@@ -179,6 +180,7 @@ internal static object StringToType(
                             propertyValue = typeConfig.OnDeserializing(instance, propertyName, propertyValue);
                         typeAccessor.SetProperty(instance, propertyValue);
                     }
+                    catch (NotSupportedException) { throw; }
                     catch (Exception e)
                     {
                         if (JsConfig.OnDeserializationError != null) JsConfig.OnDeserializationError(instance, propType ?? typeAccessor.PropertyType, propertyName, propertyValueStr, e);

src/ServiceStack.Text/Common/DeserializeTypeRefJsv.cs

@@ -59,6 +59,7 @@ internal static object StringToType(
                     }
                     else
                     {
+                        JsWriter.AssertAllowedRuntimeType(explicitType);
                         instance = explicitType.CreateInstance();
                     }
 
@@ -130,6 +131,7 @@ internal static object StringToType(
                             propertyValue = typeConfig.OnDeserializing(instance, propertyName, propertyValue);
                         typeAccessor.SetProperty(instance, propertyValue);
                     }
+                    catch (NotSupportedException) { throw; }
                     catch (Exception e)
                     {
                         if (JsConfig.OnDeserializationError != null) JsConfig.OnDeserializationError(instance, propType ?? typeAccessor.PropertyType, propertyName, propertyValueStr, e);

src/ServiceStack.Text/Common/JsState.cs

@@ -15,6 +15,9 @@ internal static class JsState
         [ThreadStatic]
         internal static bool IsWritingDynamic = false;
 
+        [ThreadStatic]
+        internal static bool IsRuntimeType = false;
+
         [ThreadStatic]
         internal static bool QueryStringMode = false;
 

src/ServiceStack.Text/Common/JsWriter.cs

@@ -152,6 +152,41 @@ public static void WriteEnumFlags(TextWriter writer, object enumFlagValue)
                     break;
             }
         }
+
+        public static void AssertAllowedRuntimeType(Type type)
+        {
+            if (!JsState.IsRuntimeType)
+                return;
+
+            if (JsConfig.AllowRuntimeType?.Invoke(type) == true)
+                return;
+
+            var allowAttributesNamed = JsConfig.AllowRuntimeTypeWithAttributesNamed;
+            if (allowAttributesNamed?.Count > 0)
+            {
+                var OAttrs = type.AllAttributes();
+                foreach (var oAttr in OAttrs)
+                {
+                    var attr = oAttr as Attribute;
+                    if (attr == null) continue;
+                    if (allowAttributesNamed.Contains(attr.GetType().Name))
+                        return;
+                }
+            }
+
+            var allowInterfacesNamed = JsConfig.AllowRuntimeTypeWithInterfacesNamed;
+            if (allowInterfacesNamed?.Count > 0)
+            {
+                var interfaces = type.GetTypeInterfaces();
+                foreach (var interfaceType in interfaces)
+                {
+                    if (allowInterfacesNamed.Contains(interfaceType.Name))
+                        return;
+                }
+            }
+
+            throw new NotSupportedException($"{type.Name} is not an allowed Runtime Type. Whitelist Type with [RuntimeSerializable] or IRuntimeSerializable.");
+        }
     }
 
     public class JsWriter<TSerializer>

src/ServiceStack.Text/JsConfig.cs

@@ -2,6 +2,7 @@
 using System.Collections.Generic;
 using System.IO;
 using System.Runtime.CompilerServices;
+using System.Runtime.Serialization;
 using System.Threading;
 using ServiceStack.Text.Common;
 using ServiceStack.Text.Json;
@@ -916,6 +917,14 @@ public static string[] IgnoreAttributesNamed
             get { return ReflectionExtensions.IgnoreAttributesNamed; }
         }
 
+        public static HashSet<string> AllowRuntimeTypeWithAttributesNamed { get; set; }
+
+        public static HashSet<string> AllowRuntimeTypeWithInterfacesNamed { get; set; }
+
+        public static HashSet<string> AllowRuntimeTypeInTypesWithNamespaces { get; set; }
+
+        public static Func<Type, bool> AllowRuntimeType { get; set; }
+
         public static void Reset()
         {
             foreach (var rawSerializeType in HasSerializeFn.ToArray())
@@ -970,6 +979,26 @@ public static void Reset()
             sMaxDepth = 50;
             sParsePrimitiveIntegerTypes = null;
             sParsePrimitiveFloatingPointTypes = null;
+            AllowRuntimeType = null;
+            AllowRuntimeTypeWithAttributesNamed = new HashSet<string>
+            {
+                nameof(DataContractAttribute),
+                nameof(RuntimeSerializableAttribute),
+                "SerializableAttribute",
+            };
+            AllowRuntimeTypeWithInterfacesNamed = new HashSet<string>
+            {
+                "IConvertible",
+                "ISerializable",
+                "IRuntimeSerializable",
+                "IMeta",
+                "IReturn`1",
+                "IReturnVoid",
+            };
+            AllowRuntimeTypeInTypesWithNamespaces = new HashSet<string>
+            {
+                "ServiceStack.Messaging",
+            };
             PlatformExtensions.ClearRuntimeAttributes();
             ReflectionExtensions.Reset();
             JsState.Reset();

src/ServiceStack.Text/RuntimeSerializableAttribute.cs

@@ -0,0 +1,15 @@
+using System;
+
+namespace ServiceStack.Text
+{
+    /// <summary>
+    /// Allow Type to be deserialized into late-bould object Types using __type info
+    /// </summary>
+    [AttributeUsage(AttributeTargets.Class)]
+    public class RuntimeSerializableAttribute : Attribute {}
+
+    /// <summary>
+    /// Allow Type to be deserialized into late-bould object Types using __type info
+    /// </summary>
+    public interface IRuntimeSerializable { }
+}

tests/ServiceStack.Text.Tests/DynamicModels/DataModel/CustomCollectionDto.cs

@@ -4,6 +4,7 @@
 
 namespace ServiceStack.Text.Tests.DynamicModels.DataModel
 {
+    [RuntimeSerializable]
     public class CustomCollectionDto
     {
         public Exception Exception { get; set; }

tests/ServiceStack.Text.Tests/DynamicModels/DynamicMessageTests.cs

@@ -41,6 +41,7 @@ public class StrictMessage : IMessageHeaders
         public MessageBody Body { get; set; }
     }
 
+    [RuntimeSerializable]
     public class MessageBody
     {
         public MessageBody()