search

dotnet / infer

Infer.NET is a framework for running Bayesian inference in graphical models
https://dotnet.github.io/infer/
MIT License
1.54k stars 229 forks source link

Remove Type.GetType from InferDataContractResolver #454

Closed jonathantims closed 6 months ago

jonathantims commented 6 months ago

For compliance, we do not want to apply Type.GetType to any data string we are given in-case it leads to harmful types being used. Even using Type.GetType and then checking the type afterwards is not compliant because it may inadvertently load assemblies we did not intend.

Therefore we create an explicit list of allowed types, and parse the type string to direct construction of the required type from the allowed list.

The nice thing about constructing directly from the allowed list is that even if there is a bug in the parsing code, or the string has been tampered with, it is impossible for us to end up with a type that is not a combination of types on the allowed list.

jonathantims commented 6 months ago

Will modify test to check all DataContract types and public properties they use (for round tripping).