back port fix for CVE-2022-23535

Author: Clement Fauchere

LiteDB/LiteDB.csproj

@@ -1,10 +1,10 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup Condition=" '$(OS)' != 'Windows_NT' ">
-    <TargetFrameworks>netstandard1.3;netstandard2.0</TargetFrameworks>
+    <TargetFrameworks>netstandard2.0</TargetFrameworks>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(OS)' == 'Windows_NT' ">
-    <TargetFrameworks>net35;net40;netstandard1.3;netstandard2.0</TargetFrameworks>
+    <TargetFrameworks>net35;net40;netstandard2.0</TargetFrameworks>
   </PropertyGroup>
 
   <PropertyGroup>

LiteDB/Mapper/BsonMapper.Deserialize.cs

@@ -1,4 +1,4 @@
-using System;
+using System;
 using System.Linq;
 using System.Collections;
 using System.Collections.Generic;
@@ -156,9 +156,25 @@ internal object Deserialize(Type type, BsonValue value)
                 // test if value is object and has _type
                 if (doc.RawValue.TryGetValue("_type", out typeField))
                 {
-                    type = Type.GetType(typeField.AsString);
+                    var actualType = Type.GetType(typeField.AsString);
 
-                    if (type == null) throw LiteException.InvalidTypedName(typeField.AsString);
+                    if (actualType == null) throw LiteException.InvalidTypedName(typeField.AsString);
+
+                    // avoid initialize class that are not assignable 
+                    if (!type.IsAssignableFrom(actualType))
+                    {
+                        throw LiteException.DataTypeNotAssignable(type.FullName, actualType.FullName);
+                    }
+
+                    // avoid use of "System.Diagnostics.Process" in object type definition
+                    // using String test to work in .netstandard 1.3
+                    if (actualType.FullName.Equals("System.Diagnostics.Process", StringComparison.OrdinalIgnoreCase) &&
+                        actualType.Assembly.GetName().Name.Equals("System", StringComparison.OrdinalIgnoreCase))
+                    {
+                        throw LiteException.AvoidUseOfProcess();
+                    }
+
+                    type = actualType;
                 }
                 // when complex type has no definition (== typeof(object)) use Dictionary<string, object> to better set values
                 else if (type == typeof(object))

LiteDB/Utils/LiteException.cs

@@ -38,6 +38,8 @@ public class LiteException : Exception
         public const int INVALID_TYPED_NAME = 207;
         public const int NEED_RECOVER = 208;
         public const int PROPERTY_READ_WRITE = 209;
+        public const int DATA_TYPE_NOT_ASSIGNABLE = 214;
+        public const int AVOID_USE_OF_PROCESS = 215;
 
         #endregion
 
@@ -207,6 +209,18 @@ internal static LiteException SyntaxError(StringScanner s, string message = "Une
             };
         }
 
+        internal static LiteException DataTypeNotAssignable(string type1, string type2)
+        {
+            {
+                return new LiteException(DATA_TYPE_NOT_ASSIGNABLE, $"Data type {type1} is not assignable from data type {type2}"); return new LiteException(DATA_TYPE_NOT_ASSIGNABLE, $"Data type {type1} is not assignable from data type {type2}");
+            }
+        }
+
+        internal static LiteException AvoidUseOfProcess()
+        {
+            return new LiteException(AVOID_USE_OF_PROCESS, $"LiteDB do not accept System.Diagnostics.Process class in deserialize mapper");
+        }
+
         #endregion
     }
 }