Refine type binding for deserialization (#12950)

This change refines deserialization binding behavior for the BinaryFormatUtilites class.

- Untyped requests must be requesting the object type (as the outer APIs all do)
- Removes delegate in TypeBinder
- TypeBinder returns typeof(object) for untyped requests
- TypeBinder does not fall back to implicit INrbfSerializer binding when missing a resolver
- Move JsonSerializer serialization to static interface
- Reorder TryGetObjectFromJson to fail out appropriately when binding the root type
- Reset the stream position in TryReadObjectFromStream
- Create the binder up front in TryReadObjectFromStream to normalize usage
- Don't allow implicit nullable conversion without an explicit binder
- Write a number of new tests

Plan is to continue to write tests with further test cleanup

Author: JeremyKuhne

src/System.Private.Windows.Core/src/System/Private/Windows/JsonData.cs

@@ -151,4 +151,7 @@ internal interface IJsonData
     /// </summary>
     [RequiresUnreferencedCode("Calls System.Text.Json.JsonSerializer.Deserialize<TValue>(ReadOnlySpan<Byte>, JsonSerializerOptions)")]
     object Deserialize();
+
+    [RequiresUnreferencedCode("Calls System.Text.Json.JsonSerializer.SerializeToUtf8Bytes<TValue>(TValue, JsonSerializerOptions)")]
+    internal static IJsonData Create<T>(T data) => new JsonData<T>() { JsonBytes = JsonSerializer.SerializeToUtf8Bytes(data) };
 }

src/System.Private.Windows.Core/src/System/Private/Windows/Nrbf/INrbfSerializer.cs

@@ -31,7 +31,7 @@ internal interface INrbfSerializer
     ///  <para>
     ///   This should only return <see langword="true"/> for types that are expected to be safe to deserialize. It is
     ///   used to indicate that we should consider the type "corrupted" and should not make a second attempt through
-    ///   the <see cref="BinaryFormatter"/>. It is also used as the "blessed" list of types that we'll auto-bind when
+    ///   the <see cref="BinaryFormatter"/>. It is also used as the allowed list of types that we'll auto-bind when
     ///   user type resolvers return <see langword="null"/>.
     ///  </para>
     ///  <para>

src/System.Private.Windows.Core/src/System/Private/Windows/Nrbf/SerializationRecordExtensions.cs

@@ -582,6 +582,11 @@ private static bool IsPrimitiveArrayRecord(SerializationRecord serializationReco
     ///  If the data was supposed to be our <see cref="JsonData{T}"/>, but was serialized incorrectly.
     /// </exception>
     /// <exception cref="NotSupportedException">If an exception occurred while JSON deserializing.</exception>
+    /// <devdoc>
+    ///  We don't try to resolve all types in the graph of a type when deserializing JSON as the default options
+    ///  should not present the same risks as BinaryFormatter deserialization. JSON binding is just for the root
+    ///  type.
+    /// </devdoc>
     internal static (bool isJsonData, bool isValidType) TryGetObjectFromJson<T>(
         this SerializationRecord record,
         ITypeResolver resolver,
@@ -604,39 +609,38 @@ internal static (bool isJsonData, bool isValidType) TryGetObjectFromJson<T>(
             throw new SerializationException(SR.ClipboardOrDragDrop_JsonDeserializationFailed);
         }
 
-        if (typeof(T) == typeof(object))
+        Type? boundType = resolver.BindToType(typeName);
+        if (!boundType.IsAssignableTo(typeof(T)))
+        {
+            // Not the type the caller asked for.
+            return (isJsonData: true, isValidType: false);
+        }
+
+        if (boundType == typeof(object))
         {
             // Special case for deserializing to object. JsonSerializer.Deserializer<object> gives back a JsonElement.
             // We want to do this for the untyped APIs as downlevel apps would be able to read the object via
             // GetData (via the IObjectReference behavior in BinaryFormatter). Preventing it here would be difficult
             // to explain. Doing this also facilitates moving to the typed APIs for existing data that is JSON
             // serializable. You can simply switch to SerializeAsJson and know existing consumers will not be broken.
 
-            Type? getType = Type.GetType(
+            boundType = Type.GetType(
                 assemblyQualifiedTypeName,
                 throwOnError: false);
 
-            // Full name didn't work, try the full
-            getType ??= Type.GetType(
+            // Fall back to just the full name.
+            boundType ??= Type.GetType(
                 typeName.FullName,
-                throwOnError: false);
-
-            if (getType is not null)
-            {
-                Utf8JsonReader reader = new(byteData.GetArray());
-                @object = (T?)JsonSerializer.Deserialize(ref reader, getType);
-                return (isJsonData: true, isValidType: @object is not null);
-            }
+                throwOnError: true);
         }
 
-        if (!resolver.TryBindToType(typeName, out Type? resolvedType) || !resolvedType.IsAssignableTo(typeof(T)))
+        // Let the original exception bubble up if deserialization fails.
+        if (boundType is not null)
         {
-            // Not the type the caller asked for.
-            return (isJsonData: true, isValidType: false);
+            Utf8JsonReader reader = new(byteData.GetArray());
+            @object = (T?)JsonSerializer.Deserialize(ref reader, boundType);
         }
 
-        // Let the original exception bubble up if deserialization fails.
-        @object = JsonSerializer.Deserialize<T>(byteData.GetArray());
-        return (isJsonData: true, isValidType: true);
+        return (isJsonData: true, isValidType: @object is not null);
     }
 }

src/System.Private.Windows.Core/src/System/Private/Windows/Ole/BinaryFormatUtilities.cs

@@ -76,6 +76,8 @@ internal static bool TryReadObjectFromStream<T>(
         ref readonly DataRequest request,
         [NotNullWhen(true)] out T? @object)
     {
+        Debug.Assert(request.TypedRequest || typeof(T) == typeof(object), "Untyped requests should always be asking for object");
+
         @object = default;
         object? value;
 
@@ -104,30 +106,38 @@ record = stream.DecodeNrbf();
         {
             // Allow falling through for unsupported Nrbf data (such as non-zero based arrays).
         }
+        finally
+        {
+            stream.Position = startPosition;
+        }
 
-        TypeBinder<TNrbfSerializer>? binder = null;
+        TypeBinder<TNrbfSerializer> binder = new(typeof(T), in request);
 
         if (record is not null)
         {
             // Try our implicit deserialization.
-            if (TNrbfSerializer.TryBindToType(record.TypeName, out Type? type)
-                && type.IsAssignableTo(typeof(T)))
+            if (TNrbfSerializer.TryBindToType(record.TypeName, out Type? type))
             {
+                if (request.TypedRequest
+                    // If we can't match the root exactly, then we fall back to the binder.
+                    && !(type == typeof(T) || binder.BindToType(record.TypeName).IsAssignableTo(typeof(T))))
+                {
+                    return false;
+                }
+
                 if (TNrbfSerializer.TryGetObject(record, out value))
                 {
                     @object = (T)value;
                     return true;
                 }
-                else if (TNrbfSerializer.IsFullySupportedType(typeof(T)))
+                else if (TNrbfSerializer.IsFullySupportedType(type))
                 {
                     // The serializer fully supports this type, but can't deserialize it.
                     // Don't let it fall through to the BinaryFormatter.
                     return false;
                 }
             }
 
-            binder = new(typeof(T), in request);
-
             if (type is null)
             {
                 // Serializer didn't recognize the type, look for and deserialize a JSON object.
@@ -139,11 +149,9 @@ record = stream.DecodeNrbf();
             }
 
             // JSON type info is nested, so this has to come after the JSON attempt.
-            if (request.TypedRequest)
+            if (request.TypedRequest && !typeof(T).Matches(record.TypeName, TypeNameComparison.AllButAssemblyVersion))
             {
-                if (!(typeof(T).Matches(record.TypeName, TypeNameComparison.AllButAssemblyVersion)
-                    || (binder.TryBindToType(record.TypeName, out Type? resolvedType)
-                        && resolvedType.IsAssignableTo(typeof(T)))))
+                if (!binder.BindToType(record.TypeName).IsAssignableTo(typeof(T)))
                 {
                     // Typed request where the root type is not what was requested.
                     // Untyped requests are allowed to deserialize any type.
@@ -181,9 +189,8 @@ record = stream.DecodeNrbf();
 
         // If we want to attempt our own general NRBF deserialization, we would do it here.
         // If we do, we should never fall back to the BinaryFormatter if the binder fails
-        // to bind the type.
+        // to bind a type.
 
-        stream.Position = startPosition;
         binder ??= new(typeof(T), in request);
 
 #pragma warning disable SYSLIB0011, SYSLIB0050 // Type or member is obsolete
@@ -203,6 +210,10 @@ record = stream.DecodeNrbf();
             // Rethrow the inner exception to allow the exception to flow up through TryGetHGLOBALData.
             throw nse;
         }
+        finally
+        {
+            stream.Position = startPosition;
+        }
 #pragma warning restore CA2300
 #pragma warning restore CA2302
 #pragma warning restore SYSLIB0050, SYSLIB0011

src/System.Private.Windows.Core/src/System/Private/Windows/Ole/DataObjectCore.cs

@@ -1,8 +1,6 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
-using System.Text.Json;
-
 namespace System.Private.Windows.Ole;
 
 internal static unsafe class DataObjectCore<TDataObject>
@@ -31,6 +29,6 @@ internal static IJsonData TryJsonSerialize<T>(string format, T data)
             throw new ArgumentException(SR.ClipboardOrDragDrop_CannotJsonSerializeDataObject, nameof(data));
         }
 
-        return new JsonData<T>() { JsonBytes = JsonSerializer.SerializeToUtf8Bytes(data) };
+        return IJsonData.Create(data);
     }
 }

src/System.Private.Windows.Core/src/System/Private/Windows/Ole/TypeBinder.cs

@@ -32,9 +32,8 @@ internal sealed class TypeBinder<TNrbfSerializer> : SerializationBinder, ITypeRe
     where TNrbfSerializer : INrbfSerializer
 {
     private readonly Type _rootType;
-    private Func<TypeName, Type?>? _resolver;
+    private readonly Func<TypeName, Type?>? _resolver;
     private readonly bool _isTypedRequest;
-    private readonly bool _hasCustomResolver;
 
     private Dictionary<FullyQualifiedTypeName, TypeName>? _cachedTypeNames;
 
@@ -45,31 +44,14 @@ internal sealed class TypeBinder<TNrbfSerializer> : SerializationBinder, ITypeRe
     /// <param name="rootType"><see cref="Type"/> that the user expects to read from the binary formatted stream.</param>
     public TypeBinder(Type rootType, ref readonly DataRequest request)
     {
-        Debug.Assert(
-            request.TypedRequest || (!request.TypedRequest && request.Resolver is null),
-            "Untyped methods should not provide a resolver.");
+        Debug.Assert(request.TypedRequest || request.Resolver is null, "Untyped methods should not provide a resolver.");
+        Debug.Assert(request.TypedRequest || rootType == typeof(object), "Untyped requests should always be asking for object");
 
         _isTypedRequest = request.TypedRequest;
-        _hasCustomResolver = request.Resolver is not null;
         _rootType = rootType;
         _resolver = request.Resolver;
     }
 
-    private Func<TypeName, Type?> Resolver
-    {
-        get
-        {
-            // Lazily create a default resolver when needed to potentially avoid the cost of parsing the TypeName.
-            return _resolver ??= CreateDefaultResolver(_rootType);
-
-            static Func<TypeName, Type?> CreateDefaultResolver(Type type)
-            {
-                TypeName knownType = type.ToTypeName();
-                return typeName => knownType.Matches(typeName, TypeNameComparison.AllButAssemblyVersion) ? type : null;
-            }
-        }
-    }
-
     public override Type? BindToType(string assemblyName, string typeName)
     {
         ArgumentException.ThrowIfNullOrWhiteSpace(assemblyName);
@@ -86,7 +68,7 @@ public TypeBinder(Type rootType, ref readonly DataRequest request)
         }
 
         // Should never fall through to the BinaryFormatter from a typed API without an explicit resolver.
-        if (!_hasCustomResolver)
+        if (_resolver is null)
         {
             throw new InvalidOperationException();
         }
@@ -106,23 +88,48 @@ public TypeBinder(Type rootType, ref readonly DataRequest request)
     public Type BindToType(TypeName typeName) => TryBindToType(typeName, out Type? type)
         ? type
         : throw new NotSupportedException(string.Format(
-            _hasCustomResolver ? SR.ClipboardOrDragDrop_TypedAPI_InvalidResolver : SR.ClipboardOrDragDrop_UseTypedAPI,
+            _resolver is null ? SR.ClipboardOrDragDrop_UseTypedAPI : SR.ClipboardOrDragDrop_TypedAPI_InvalidResolver,
             typeName.AssemblyQualifiedName));
 
     public bool TryBindToType(TypeName typeName, [NotNullWhen(true)] out Type? type)
     {
         ArgumentNullException.ThrowIfNull(typeName);
 
+        if (!_isTypedRequest)
+        {
+            type = typeof(object);
+            return true;
+        }
+
+        if (_resolver is null)
+        {
+            if (_rootType.Matches(typeName, TypeNameComparison.AllButAssemblyVersion))
+            {
+                type = _rootType;
+                return true;
+            }
+
+            // If we fall back here to the TNrbfSerializer all types would match for the root. This has the side
+            // effect of asking for `int?` and matching `int` data. We need to do `IsAssignableTo` for resolved
+            // types so we can allow resolvers to bind to derived classes- `int` is assignable to `int?`.
+            //
+            // Asking for `List<int?>` will not match `List<int>` data, even though the CoreNrbfSerializer supports
+            // `List<int>`. `List<int>` is not assignable to `List<int?>`.
+            type = null;
+            return false;
+        }
+
         try
         {
-            type = Resolver(typeName);
+            type = _resolver(typeName);
         }
         catch (Exception ex) when (!ex.IsCriticalException())
         {
             type = null;
             return false;
         }
 
+        // Explicit resolver returned null, fall back to implicit support.
         if (type is null
             && _rootType != typeof(object)
             && !_rootType.IsInterface

src/System.Private.Windows.Core/tests/System.Private.Windows.Core.Tests/System/Private/Windows/Ole/BinaryFormatUtilitesTestsBase.cs

@@ -2,12 +2,35 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using System.Diagnostics.CodeAnalysis;
+using System.Private.Windows.BinaryFormat;
 using System.Reflection.Metadata;
 
 namespace System.Private.Windows.Ole.Tests;
 
 public abstract class BinaryFormatUtilitesTestsBase : IDisposable
 {
+    public enum DataType
+    {
+        Json,
+        BinaryFormat
+    }
+
+    public MemoryStream CreateStream<T>(DataType dataType, T data) where T : notnull
+    {
+        MemoryStream stream = new();
+        if (dataType == DataType.Json)
+        {
+            BinaryFormatWriter.TryWriteJsonData(stream, IJsonData.Create(data));
+        }
+        else
+        {
+            WriteObjectToStream(stream, data, "test");
+        }
+
+        stream.Position = 0;
+        return stream;
+    }
+
     protected MemoryStream Stream { get; }
 
     public BinaryFormatUtilitesTestsBase() => Stream = new();
@@ -32,7 +55,7 @@ protected bool TryReadObjectFromStream<T>(out T? @object)
         return TryReadObjectFromStream(Stream, untypedRequest: true, "test", resolver: null, out @object);
     }
 
-    protected bool TryReadRestrictedObjectFromStream<T>(out T? @object)
+    protected bool TryReadPredefinedObjectFromStream<T>(out T? @object)
     {
         Stream.Position = 0;
         return TryReadObjectFromStream(Stream, untypedRequest: true, DataFormatNames.String, resolver: null, out @object);
@@ -56,7 +79,7 @@ protected bool TryReadObjectFromStream<T>(Func<TypeName, Type>? resolver, out T?
         return TryReadObjectFromStream(Stream, untypedRequest: false, "test", resolver, out @object);
     }
 
-    protected bool ReadRestrictedObjectFromStream<T>(Func<TypeName, Type>? resolver, out T? @object)
+    protected bool ReadPredefinedObjectFromStream<T>(Func<TypeName, Type>? resolver, out T? @object)
     {
         return TryReadObjectFromStream(Stream, untypedRequest: false, DataFormatNames.String, resolver, out @object);
     }
@@ -69,11 +92,11 @@ protected bool RoundTripObject<T>(object value, out T? @object)
         return TryReadObjectFromStream(out @object);
     }
 
-    protected bool RoundTripObject_RestrictedFormat<T>(object value, out T? @object)
+    protected bool RoundTripObject_PredefinedFormat<T>(object value, out T? @object)
     {
         // This is equivalent to SetData/GetData methods using registered OLE formats, resolves only the known types
         WriteObjectToStream(value, restrictSerialization: true);
-        return TryReadRestrictedObjectFromStream(out @object);
+        return TryReadPredefinedObjectFromStream(out @object);
     }
 
     protected bool RoundTripOfType<T>(object value, out T? @object)
@@ -84,19 +107,19 @@ protected bool RoundTripOfType<T>(object value, out T? @object)
         return TryReadObjectFromStream(NotSupportedResolver, out @object);
     }
 
-    protected bool RoundTripOfType_RestrictedFormat<T>(object value, out T? @object)
+    protected bool RoundTripOfType_PredefinedFormat<T>(object value, out T? @object)
     {
-        // This is equivalent to SetData/TryGetData<T> methods using OLE formats. Deserialization is restricted
+        // This is equivalent to SetData/TryGetData<T> methods using OLE formats. Deserialization is Predefined
         // to known types.
         WriteObjectToStream(value, restrictSerialization: true);
         Stream.Position = 0;
-        return ReadRestrictedObjectFromStream(NotSupportedResolver, out @object);
+        return ReadPredefinedObjectFromStream(NotSupportedResolver, out @object);
     }
 
     protected bool RoundTripOfType<T>(object value, Func<TypeName, Type>? resolver, out T? @object)
     {
         // This is equivalent to SetData/TryGetData<T> methods using unbounded formats,
-        // serialization is restricted by the resolver and BinaryFormat AppContext switches.
+        // serialization is Predefined by the resolver and BinaryFormat AppContext switches.
         WriteObjectToStream(value);
         return TryReadObjectFromStream(resolver, out @object);
     }