- Fix disallow-unsafe-type Akka.NET settings and harden unsafe type detection 301
- Bump Akka version from 1.4.34 to 1.4.35
- Allow explicit control over which types can be deserialized #281
We've expanded our deserialization safety check to block dangerous types from being deserialized; we recommend this method as a best practice to prevent deserialization of untrusted data. You can now create a custom deserialize layer type filter programmatically:
var typeFilter = TypeFilterBuilder.Create()
.Include<AllowedClassA>()
.Include<AllowedClassB>()
.Build();
var options = SerializerOptions.Default
.WithTypeFilter(typeFilter);
var serializer = new Serializer(options);
For complete documentation, please read the readme on filtering types for secure deserialization.
- Fix exception thrown during deserialization when preserve object reference was turned on and a surrogate instance was inserted into a collection multiple times. #264
- Add support for AggregateException serialization. #266
We've added a deserialization safety check to block dangerous types from being deserialized.
This is done to add a layer of security from possible code injection and code execution attack.
Currently it is an all or nothing feature that can be turned on and off by using the new DisallowUnsafeTypes
flag inside SerializerOptions
(defaults to true).
The unsafe types that are currently blocked are:
- System.Security.Claims.ClaimsIdentity
- System.Windows.Forms.AxHost.State
- System.Windows.Data.ObjectDataProvider
- System.Management.Automation.PSObject
- System.Web.Security.RolePrincipal
- System.IdentityModel.Tokens.SessionSecurityToken
- SessionViewStateHistoryItem
- TextFormattingRunProperties
- ToolboxItemContainer
- System.Security.Principal.WindowsClaimsIdentity
- System.Security.Principal.WindowsIdentity
- System.Security.Principal.WindowsPrincipal
- System.CodeDom.Compiler.TempFileCollection
- System.IO.FileSystemInfo
- System.Activities.Presentation.WorkflowDesigner
- System.Windows.ResourceDictionary
- System.Windows.Forms.BindingSource
- Microsoft.Exchange.Management.SystemManager.WinForms.ExchangeSettingsProvider
- System.Diagnostics.Process
- System.Management.IWbemClassObjectFreeThreaded
- Fix array of user defined structs serialization failure
- Remove dynamic keyword usage from array serializer
- Change field ordering to ordinal
Possible breaking changes
The change to the object serializer field ordering might cause a deserialization failure of persisted objects that are serialized using the Hyperion serializer.
Please report any serialization problem that occurs after an upgrade to this version at the issue tracker