eiriktsarpalis
commented
6 years ago Thanks. This is part of the core design of this library, in particular to provide the ability to serialize arbitrary lambdas to power mbrace. Now, deserializing lambdas is enabling arbitrary code execution no matter how you look at it, which is kind of the point in distributed compute frameworks like mbrace or Spark. So I don't see how this could ever be changed or "fixed".
I only wish that the authors would take more time to investigate the background and motivation behind each library (e.g. https://github.com/mbraceproject/Vagabond) rather than lumping together everything they could scavenge from github. The fact that people use FsPickler as if it's suitable to run in something like a webserver doesn't help either.
ghost
Hello, I am posting this a bit blind (I have searched on this repo's issue tracker and MBrace.Azure and have not found anything relating to this topic), recently (last few days) a talk was given at a security conference that mentioned .NET serialization vulnerabilities. FsPickler was especially mentioned, worryingly as an Example in the section referring to remote code execution.
The slide deck is available at https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf, unfortunately I don't have any additional useful information about it (as I was not in attendance of this conference), but I thought I would bring it to someones attention (it might be worthwhile cc'ing in people from MBrace.Azure to ensure no interfaces are exposed that would allow an attacker to abuse untrusted input that gets deserialized by FsPickle).