k-john-gough
commented
10 months ago Hi Kyle
And thanks for the email.
Yes, I am fully retired, but I would like to keep GPPG and GPLEX going as long as the community finds them useful.
The issue with the Binary Formatter is really, very much, a specialized one. The facility is only used in the case where two (or more) parsers have to share a token type. One parser declares /sharetokens, which causes the creation of file ${parsername}Tokens.dat. The other parsers then declare /importtokens=filepath to share the definitions. The main use of this is to write parsers that invoke ad-hoc lookahead in a sub-parser and then back-track to the main parser. Yes, pretty specialized stuff!
Because this is such a specialized case, I didn't bother defining a format for the token file and left it to the binary formatter.
A simple way to eliminate the security hole would be to create an XML format for the token file and change the two references in ParseHelper.cs and CodeGenerator.cs to use the XML reader and writer. (An even simpler fix would be to get rid of /importtokens and /sharetokens, but it would break the code of anyone who IS using the facility.
If anybody out there wants to have a go, I would be happy to cast an eye over it. If absolutely necessary I could probably do it myself, but I am getting pretty rusty with C#
Cheers John Gough
From: Kyle H @.> Sent: Tuesday, 12 September 2023 9:25 AM To: k-john-gough/gppg @.> Cc: Subscribed @.***> Subject: [k-john-gough/gppg] BinaryFormatter is obsolete and should not be used. (Issue #8)
(Mr. Gough, I understand that you are fully retired, and I am not requesting you change this unless you feel like it. I'm just documenting this issue, for anyone who, like me, is trying to compile gppg against a newer version of dotnet, such as net6.0 or net7.0.)
https://aka.ms/binaryformatter has a lot of information on this issue, including an explanation of why BinaryFormatter is insecure and cannot be made secure. (Anything which performs unrestricted polymorphic deserialization cannot be made secure.) This is used in CodeGenerator.cs and ParseHelper.cs. For security, it recommends:
-XmlSerializerhttps://learn.microsoft.com/en-us/dotnet/api/system.xml.serialization.xmlserializer and DataContractSerializerhttps://learn.microsoft.com/en-us/dotnet/api/system.runtime.serialization.datacontractserializer to serialize object graphs into and from XML. Do not confuse DataContractSerializer with NetDataContractSerializerhttps://learn.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer.
- BinaryReaderhttps://learn.microsoft.com/en-us/dotnet/api/system.io.binaryreader and BinaryWriterhttps://learn.microsoft.com/en-us/dotnet/api/system.io.binarywriter for XML and JSON.
- The System.Text.Jsonhttps://learn.microsoft.com/en-us/dotnet/api/system.text.json APIs to serialize object graphs into JSON.
— Reply to this email directly, view it on GitHubhttps://github.com/k-john-gough/gppg/issues/8, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AEC5EFAXPTOSRO32HUQT6ELXZ6MWDANCNFSM6AAAAAA4UBDUPM. You are receiving this because you are subscribed to this thread.Message ID: @.***>
ernstc
(Mr. Gough, I understand that you are fully retired, and I am not requesting you change this unless you feel like it. I'm just documenting this issue, for anyone who, like me, is trying to compile gppg against a newer version of dotnet, such as net6.0 or net7.0.)
https://aka.ms/binaryformatter has a lot of information on this issue, including an explanation of why BinaryFormatter is insecure and cannot be made secure. (Anything which performs unrestricted polymorphic deserialization cannot be made secure.) This is used in CodeGenerator.cs and ParseHelper.cs. For security, it recommends:
-XmlSerializer and DataContractSerializer to serialize object graphs into and from XML. Do not confuse DataContractSerializer with NetDataContractSerializer.