-
-
Notifications
You must be signed in to change notification settings - Fork 53
Safety DoS Exploits
Since one of Ceras goals is network communication, there's always a safety/security concern that has to be kept in mind. Ceras deals with this topic in 3 ways.
To protect against the most common serialization exploits, has a built-in list of banned types. This list contains types that are either known to be impossible to serialize correctly, or because they are known to be a security concern. Every type Ceras 'touches' is checked against the banned types and there's no setting to deactivate the checks.
Without any limits on deserialization an attacker could easily crash the An attacker could very easily design a binary that overloads the application when it tries to deserialize the data.
To mitigate that Ceras has various limits you can set (see here) Since the specific limits are obviously extremely application dependent they are essentially off by default.
The 'KnownTypes' mechanism (see config.KnownTypes.Add(...)) is a performance optimization as well as a safety feature.
When you add at least one type to KnownTypes Ceras will (by default) 'seal' the type cache.
That means Ceras will not accept any new types embedded in the data, because the Types are restricted to only the known IDs.
More information about the two relevant settings:
Also pretty important to read is the type encoding wiki page