Disable deserializing [Serializable] types in System.CodeDom.Compiler

mythz · mythz · commit eb58322d90e6 · 2017-05-23T15:07:41.000-04:00
diff --git a/src/ServiceStack.Text/Common/JsWriter.cs b/src/ServiceStack.Text/Common/JsWriter.cs
@@ -161,6 +161,16 @@ public static void AssertAllowedRuntimeType(Type type)
             if (JsConfig.AllowRuntimeType?.Invoke(type) == true)
                 return;
 
+            var denyTypesInNamespaces = JsConfig.DenyRuntimeTypeInNamespaces;
+            if (denyTypesInNamespaces?.Count > 0)
+            {
+                foreach (var ns in denyTypesInNamespaces)
+                {
+                    if (type.Namespace == ns)
+                        throw new NotSupportedException($"{type.Name} is not an allowed Runtime Type. Denied in JsConfig.DenyRuntimeTypeInNamespaces");
+                }
+            }
+
             var allowAttributesNamed = JsConfig.AllowRuntimeTypeWithAttributesNamed;
             if (allowAttributesNamed?.Count > 0)
             {
diff --git a/src/ServiceStack.Text/JsConfig.cs b/src/ServiceStack.Text/JsConfig.cs
@@ -921,6 +921,8 @@ public static string[] IgnoreAttributesNamed
 
         public static HashSet<string> AllowRuntimeTypeWithInterfacesNamed { get; set; }
 
+        public static HashSet<string> DenyRuntimeTypeInNamespaces { get; set; }
+
         public static HashSet<string> AllowRuntimeTypeInTypesWithNamespaces { get; set; }
 
         public static Func<Type, bool> AllowRuntimeType { get; set; }
@@ -999,6 +1001,10 @@ public static void Reset()
             {
                 "ServiceStack.Messaging",
             };
+            DenyRuntimeTypeInNamespaces = new HashSet<string>
+            {
+                "System.CodeDom.Compiler",
+            };
             PlatformExtensions.ClearRuntimeAttributes();
             ReflectionExtensions.Reset();
             JsState.Reset();
diff --git a/tests/ServiceStack.Text.Tests/RuntimeSerializtionTests.cs b/tests/ServiceStack.Text.Tests/RuntimeSerializtionTests.cs
@@ -205,5 +205,32 @@ public void Does_allow_Unknown_Type_in_MQ_Messages()
             var fromJson = json.FromJson<Message>();
             Assert.That(fromJson.Body.GetType(), Is.EqualTo(typeof(AType)));
         }
+
+        [Test]
+        public void Does_not_allow_Types_in_DenyRuntimeTypeInTypesWithNamespaces()
+        {
+            //Uses JsConfig.DenyRuntimeTypeInNamespaces
+
+            var types = new Type[]
+            {
+#if NET45
+                typeof(System.CodeDom.Compiler.TempFileCollection)
+#endif
+            };
+
+            foreach (var type in types)
+            {
+                var json = CreateJson(type);
+                try
+                {
+                    var instance = json.FromJson<RuntimeObject>();
+                    Assert.Fail("Should throw " + type.Name);
+                }
+                catch (NotSupportedException ex)
+                {
+                    ex.Message.Print();
+                }
+            }
+        }
     }
 }
