"TypeNameHandling.All" option in your "JsonSerializer.cs"

rebus-org / Rebus

:bus: Simple and lean service bus implementation for .NET

https://mookid.dk/category/rebus

Other

2.32k stars 363 forks source link

"TypeNameHandling.All" option in your "JsonSerializer.cs" #1078

Closed tititototutu closed 1 year ago

tititototutu commented 1 year ago

Hello,

I just want to warn you that it is dangerous to use the "TypeNameHandling.All" option in your "JsonSerializer.cs" file. Do not deserialize your json datas with this option enabled. I don't know if computer security is important in your project, but in case I warn you.

Enjoy

mookid8000 commented 1 year ago

Why is it dangerous? Can you point to some additional resources on the subject?

mookid8000 commented 1 year ago

Hi @tititototutu , could you maybe elaborate a little bit on why it is dangerous?

mookid8000 commented 1 year ago

Ok @tititototutu , I assume you are thinking about using "TypeNameHandling.All" when deserializing JSON data in publicly exposed APIs.

Rebus is not usually used to process messages delivered from any kind of publicly exposed API.

Please get back to me and enlighten me, if you have some additional information about the subject.