Skip to content

Update binaryformatter-security-guide.md #43435

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 13, 2024
Merged

Update binaryformatter-security-guide.md #43435

merged 2 commits into from
Nov 13, 2024

Conversation

@GrabYourPitchforks
Copy link
Member

@GrabYourPitchforks GrabYourPitchforks commented Nov 12, 2024
edited by github-actions bot
Loading

Summary

Reworded a portion of the BinaryFormatter security guide after consultation with the security LT.

  • Removed the word "vulnerability" from a key paragraph. We document that BF is only intended to be used with trusted input, so we would not consider any undesired behavior caused by passing untrusted input to it to be a vulnerability.
  • Clarified that the .NET team is not committed to making code changes in response to binder bypasses or other exploits. The previous wording was somewhat ambiguous and could have been incorrectly interpreted as that .NET will still try to make code changes except when impractical to do so.

Internal previews

📄 File 🔗 Preview link
docs/standard/serialization/binaryformatter-security-guide.md Deserialization risks in use of BinaryFormatter and related types

@GrabYourPitchforks GrabYourPitchforks requested review from a team and gewarren as code owners November 12, 2024 22:43
gewarren
gewarren approved these changes Nov 12, 2024
View reviewed changes
Copy link
Contributor

@gewarren gewarren left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I left some style suggestions.

@GrabYourPitchforks @gewarren
PR feedback
4e22d5d 
Co-authored-by: Genevieve Warren <[email protected]>
@GrabYourPitchforks GrabYourPitchforks merged commit ef0876b into main Nov 13, 2024
8 checks passed
@GrabYourPitchforks GrabYourPitchforks deleted the levib/bf-security-guide branch November 13, 2024 01:19
@GrabYourPitchforks
Copy link
Member Author

GrabYourPitchforks commented Nov 13, 2024

Thanks for the feedback! :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@blowdart blowdart blowdart approved these changes

@gewarren gewarren gewarren approved these changes

@jeffhandley jeffhandley Awaiting requested review from jeffhandley

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@GrabYourPitchforks @blowdart @gewarren