TypeNameHandling caution in Newtonsoft Json

by

When deserialize with TypeNameHandling.All and without a SerializationBinder checks json.net will try to create a instace of the type that comes as metadata in the JSON.

public class Car
{
    public string Maker { get; set; }
    public string Model { get; set; }
}

{
   "$type": "Car",
   "Maker": "Ford",
   "Model": "Explorer"
} //create a Car and set property values

But an attacker could send you dangerous types that exist in your code or in the framework.

i.e. from here System.CodeDom.Compiler.TempFileCollection is a serializable class whose purpose is to maintain a list of temporary files which resulted from a compilation process and delete them when they are no longer needed. To ensure that the files are deleted the class implements a finalizer that will be called when the object is being cleaned up by the Garbage Collector. An attacker would be able to construct a serialized version of this class which pointed its internal file collection to any file on a victims system. This will be deleted at some point after deserialization without any interaction from the deserializing application.

    [Serializable]
    public class TempFileCollection
    {
       private Hashtable files;
       // Other stuff...

       ~TempFileCollection()
       {
         if (KeepFiles) {return}
         foreach (string file in files.Keys)
         {
            File.Delete(file);
         }
       }
    }

   {
       "$type": "System.CodeDom.Compiler.TempFileCollection",
       "BasePath": "%SYSTEMDRIVE",
       "KeepFiles": "False",
       "TempDir": "%SYSTEMROOT%"
    } // or something like this, I just guessing but you got the idea

More Related Contents:

  1. Deserializing polymorphic json classes without type information using json.net
  2. How can I change property names when serializing with Json.net?
  3. Parsing JSON using Json.net
  4. How to deserialize an array of values with a fixed schema to a strongly typed data class?
  5. JSON.Net throws StackOverflowException when using [JsonConvert()]
  6. How do I get json.net to serialize members of a class deriving from List?
  7. “Self Referencing Loop Detected” exception with JSON.Net
  8. Newtonsoft.JSON cannot convert model with TypeConverter attribute
  9. Deserialize json array stream one item at a time
  10. How to deserialize a JSON property that can be two different data types using Json.NET
  11. How to deserialize JSON with duplicate property names in the same object
  12. Converting newtonsoft code to System.Text.Json in .net core 3. what’s equivalent of JObject.Parse and JsonProperty
  13. Json.net serialize specific private field
  14. Serialize Property, but Do Not Deserialize Property in Json.Net
  15. Using JSON.NET to return ActionResult [duplicate]
  16. Self referencing loop detected – Getting back data from WebApi to the browser
  17. How to make JSON.Net serializer to call ToString() when serializing a particular type?
  18. How to force Newtonsoft Json to serialize all properties? (Strange behavior with “Specified” property)
  19. Json.NET custom serialization with JsonConverter – how to get the “default” behavior
  20. Cannot deserialize JSON array into type – Json.NET
  21. How to apply indenting serialization only to some properties?
  22. Using JSON.net, how do I prevent serializing properties of a derived class, when used in a base class context?
  23. Ignoring null fields in Json.net
  24. How to apply ObjectCreationHandling.Replace to selected properties when deserializing JSON?
  25. Convert DataTable to JSON with key per row
  26. Deserialize specific enum into system.enum in Json.Net
  27. Json.Net adding $id to EF objects despite setting PreserveReferencesHandling to “None”
  28. How to deserialize object derived from Exception class using Json.net?
  29. Configure Json.NET serialization settings on a class level
  30. JSON.NET Serializes Empty JSON

Leave a Comment