Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security question(s) regarding BinaryFormatter #49

Closed
tushev opened this issue Jan 16, 2024 · 6 comments
Closed

Security question(s) regarding BinaryFormatter #49

tushev opened this issue Jan 16, 2024 · 6 comments

Comments

@tushev
Copy link

tushev commented Jan 16, 2024

Hi, first of all let me say thanks for you great project!

I've seen in #42 that you switched away from BinaryFormatter to SystemTextJsonFormatter.

Nevertheless, in my .NET 8 app, I'm still getting errors (as in #42) with this sample code, so I have to specify SystemTextJsonFormatter explicitly to get rid of errors:

// in server app
server = new PipeServer<PipeMessage>(pipeName, formatter: new SystemTextJsonFormatter());
// in client app
client = new PipeClient<PipeMessage>(pipeName, formatter: new SystemTextJsonFormatter());
  1. Is it expected behavior (for now) that BinaryFormatter is still a default formatter, and one should specify SystemTextJsonFormatter explicitly? Or am I doing something wrong?
  2. Can you please confirm that with the code above BinaryFormatter is not used anywhere in the compiled app? (so this does not apply any more...)
  3. Should I use .NET Standard 2.0 for pipeMessage class (in a common project), or can I use .NET 8 there as well?
@HavenDV
Copy link
Owner

HavenDV commented Jan 20, 2024

I think the problem is primarily related to the use of netstandard2.0 in the common project. Because of this, the netstandard2.0 version of the library with BinaryFormatter will be used by default.

@tushev
Copy link
Author

tushev commented Jan 20, 2024

@HavenDV Thank you for your reply!

I switched the common project to <TargetFramework>net8.0-windows</TargetFramework>, still getting this - only if I'm not using formatter: new SystemTextJsonFormatter() explicitly:

Unhandled exception. MessagePack.MessagePackSerializationException: Failed to serialize System.Object value.
 ---> MessagePack.FormatterNotRegisteredException: MYAPPNAME.Common.PipeMessage is not registered in resolver: MessagePack.Resolvers.StandardResolver
   at MessagePack.FormatterResolverExtensions.Throw(Type t, IFormatterResolver resolver)
   at MessagePack.FormatterResolverExtensions.GetFormatterDynamicWithVerify(IFormatterResolver resolver, Type type)
   at MessagePack.Formatters.DynamicObjectTypeFallbackFormatter.Serialize(MessagePackWriter& writer, Object value, MessagePackSerializerOptions options)
   at MessagePack.MessagePackSerializer.Serialize[T](MessagePackWriter& writer, T value, MessagePackSerializerOptions options)
   --- End of inner exception stack trace ---
   at MessagePack.MessagePackSerializer.Serialize[T](MessagePackWriter& writer, T value, MessagePackSerializerOptions options)
   at MessagePack.MessagePackSerializer.Serialize[T](T value, MessagePackSerializerOptions options, CancellationToken cancellationToken)
   at H.Formatters.MessagePackFormatter.SerializeInternal(Object obj) in /_/src/libs/H.Formatters.MessagePack/MessagePackFormatter.cs:line 12
   at H.Formatters.FormatterBase.Serialize(Object obj) in /_/src/libs/H.Formatters/FormatterBase.cs:line 28
   at H.Pipes.PipeConnection`1.WriteAsync(T value, CancellationToken cancellationToken) in /_/src/libs/H.Pipes/PipeConnection.cs:line 157
   at MYAPPNAME.ElevatedService.NamedPipesServer.OnClientConnectedAsync(ConnectionEventArgs`1 args) in X:\MYAPPNAME\service\NamedPipesServer.cs:line 39
   at MYAPPNAME.ElevatedService.NamedPipesServer.<InitializeAsync>b__3_0(Object o, ConnectionEventArgs`1 args) in X:\MYAPPNAME\service\NamedPipesServer.cs:line 27
   at System.Threading.Tasks.Task.<>c.<ThrowAsync>b__128_1(Object state)
   at System.Threading.ThreadPoolWorkQueue.Dispatch()
   at System.Threading.PortableThreadPool.WorkerThread.WorkerThreadStart()

With SystemTextJsonFormatter everything works OK.

Just letting you know. It's actually not my biggest concern since I can force use of SystemTextJsonFormatter. My primary concern is question # 2.

@HavenDV
Copy link
Owner

HavenDV commented Jan 20, 2024

Perhaps you are using the latest stable version instead of the latest prerelease version?

@tushev
Copy link
Author

tushev commented Jan 20, 2024

Yes! Missed that part.

With 2.1.0-dev.322

client = new PipeClient<PipeMessage>(pipeName);

works as expected:
image

Thanks a lot!!

So, can you please assure, that with prerelease (or when using formatter: new SystemTextJsonFormatter() directly) this no longer applies?

@HavenDV
Copy link
Owner

HavenDV commented Jan 20, 2024

So, can you please assure, that with prerelease (or when using formatter: new SystemTextJsonFormatter() directly) this no longer applies?

Yes, you can double-check this by ensuring that you will not use the H.Formatters.BinaryFormatter library - this should be absent in transitive dependencies and after the application is deployed in the list of files.
BinaryFormatter is not used anywhere else in the library

@HavenDV HavenDV closed this as completed Jan 20, 2024
@tushev
Copy link
Author

tushev commented Jan 20, 2024

Thank you very much!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@HavenDV @tushev