I have identified a potential security vulnerability in the code where external data sources are being deserialized using Newtonsoft.Json with TypeNameHandling.All enabled. This setting allows the deserialization of types based on the type information present in the JSON payload. While convenient for polymorphic deserialization, it can also pose a security risk if the JSON data comes from untrusted sources. This setting could potentially be exploited for remote code execution (RCE) attacks if not handled carefully.
Issue Description:
I have identified a potential security vulnerability in the code where external data sources are being deserialized using Newtonsoft.Json with TypeNameHandling.All enabled. This setting allows the deserialization of types based on the type information present in the JSON payload. While convenient for polymorphic deserialization, it can also pose a security risk if the JSON data comes from untrusted sources. This setting could potentially be exploited for remote code execution (RCE) attacks if not handled carefully.
Code Reference:https://github.com/danielgerlag/workflow-core/blob/a761d783fe6f6bf9b0c6797321a439bf6f94c827/src/providers/WorkflowCore.Providers.Azure/Models/PersistedWorkflow.cs#L31