0

I'm trying out Azure Durable Functions and I need to pass an external class as input/output between the Activity Functions. This class comes from an external SDK and it contains abstract classes & interfaces. Because of this, the function throws an error described here

I've been reading some articles & SO posts about the vulnerabilities that TypeNameHandling.All may create but I played around with it. And when the object type is specified during Deserialization, the application throws an error BEFORE the constructor code of the targeted class is executed. Looking at this it seems that the implementation is pretty safe since the application will throw an exception if an attacker tries to pass a JSON with an unexpected type. See the code here https://dotnetfiddle.net/9FvSrc

Am I missing something here? In which scenario would the attacker be able to execute the constructor/ setter code?

adelb
  • 791
  • 7
  • 26
  • Seems that it can be reproduced when the class has an object property https://dotnetfiddle.net/388cw9 – adelb Jan 20 '21 at 14:46
  • Take a look at [External json vulnerable because of Json.Net TypeNameHandling auto?](https://stackoverflow.com/q/49038055/3744182). Even if you don't have any properties declared as `object` or `dynamic` it's not 100% certain that none of your declared types are compatible with some attack gadget, you need to check each one. [TypeNameHandling caution in Newtonsoft Json](https://stackoverflow.com/q/39565954/3744182) may also apply. – dbc Jan 20 '21 at 15:34
  • Also, do you really need type information for the entire serialization graph, or just the root object? If you only need it for the root, consider [json.net - how to add property $type ONLY on root object](https://stackoverflow.com/q/36356336/3744182), that reduces the chances of some deeply embedded property being compatible with an attack gadget. – dbc Jan 20 '21 at 16:02

0 Answers0