fix Security Issues with Polymorphic support in serialization

mcatanzariti · mcatanzariti · commit 4ced30d79208 · 2022-10-29T23:06:15.000+02:00
* BREAKING CHANGE: removed DefaultDiscriminatorConvention * BREAKING CHANGE: renamed AttributeBasedDiscriminatorConvention<T> into DefaultDiscriminatorConvention<T> * check if declared type is assignable from discriminator type before instantiation * fix #107
diff --git a/src/Dahomey.Cbor.Tests/CreatorMappingTests.cs b/src/Dahomey.Cbor.Tests/CreatorMappingTests.cs
@@ -224,7 +224,6 @@ public Person(int id, string name)
         public void InheritedClassWithConstructor()
         {
             CborOptions options = new CborOptions();
-            options.Registry.DiscriminatorConventionRegistry.RegisterConvention(new AttributeBasedDiscriminatorConvention<string>(options.Registry));
             options.Registry.DiscriminatorConventionRegistry.RegisterType(typeof(Person));
 
             const string hexBuffer = "A3625F7466506572736F6E6249640C644E616D6563466F6F";
diff --git a/src/Dahomey.Cbor.Tests/DiscriminatorTests.cs b/src/Dahomey.Cbor.Tests/DiscriminatorTests.cs
@@ -19,7 +19,6 @@ static DiscriminatorTests()
         public void ReadPolymorphicObject()
         {
             CborOptions options = new CborOptions();
-            options.Registry.DiscriminatorConventionRegistry.RegisterConvention(new AttributeBasedDiscriminatorConvention<string>(options.Registry));
             options.Registry.DiscriminatorConventionRegistry.RegisterType(typeof(NameObject));
 
             const string hexBuffer = "A16A426173654F626A656374A3625F746A4E616D654F626A656374644E616D6563666F6F62496401";
@@ -31,20 +30,22 @@ public void ReadPolymorphicObject()
             Assert.Equal(1, obj.BaseObject.Id);
         }
 
+        [CborDiscriminator("OtherObject")]
+        public class OtherObject
+        {
+        }
+
         [Fact]
-        public void ReadPolymorphicObjectWithDefaultDiscriminatorConvention()
+        public void ReadNonAssignablePolymorphicObject()
         {
-            const string hexBuffer = "A2625F7478374461686F6D65792E43626F722E54657374732E426173654F626A656374486F6C6465722C204461686F6D65792E43626F722E54657374736A426173654F626A656374A3625F746A4E616D654F626A656374644E616D6563666F6F62496401";
+            const string hexBuffer = "A16A426173654F626A656374A1625F746B4F746865724F626A656374"; // {"BaseObject": {"_t": "OtherObject"}}
 
             CborOptions options = new CborOptions();
             DiscriminatorConventionRegistry registry = options.Registry.DiscriminatorConventionRegistry;
-            registry.RegisterConvention(new AttributeBasedDiscriminatorConvention<string>(options.Registry));
             registry.RegisterType<NameObject>();
+            registry.RegisterType<OtherObject>();
 
-            object obj = Helper.Read<object>(hexBuffer, options);
-
-            Assert.NotNull(obj);
-            Assert.IsType<BaseObjectHolder>(obj);
+            Assert.ThrowsAny<CborException>(() => Helper.Read<BaseObjectHolder>(hexBuffer, options));
         }
 
         [Theory]
@@ -55,7 +56,6 @@ public void ReadPolymorphicObjectWithDefaultDiscriminatorConvention()
         public void WritePolymorphicObject(CborDiscriminatorPolicy discriminatorPolicy, string hexBuffer)
         {
             CborOptions options = new CborOptions();
-            options.Registry.DiscriminatorConventionRegistry.RegisterConvention(new AttributeBasedDiscriminatorConvention<string>(options.Registry));
             options.Registry.DiscriminatorConventionRegistry.RegisterType(typeof(NameObject));
             options.Registry.ObjectMappingRegistry.Register<NameObject>(om =>
             {
diff --git a/src/Dahomey.Cbor.Tests/Issues/Issue0020.cs b/src/Dahomey.Cbor.Tests/Issues/Issue0020.cs
@@ -48,7 +48,6 @@ public class Orange : Fruit
         public void TestWrite()
         {
             CborOptions options = new CborOptions();
-            options.Registry.DiscriminatorConventionRegistry.RegisterConvention(new AttributeBasedDiscriminatorConvention<string>(options.Registry));
             options.Registry.DiscriminatorConventionRegistry.RegisterType(typeof(Apple));
             options.Registry.DiscriminatorConventionRegistry.RegisterType(typeof(Orange));
 
@@ -62,7 +61,6 @@ public void TestWrite()
         public void TestRead()
         {
             CborOptions options = new CborOptions();
-            options.Registry.DiscriminatorConventionRegistry.RegisterConvention(new AttributeBasedDiscriminatorConvention<string>(options.Registry));
             options.Registry.DiscriminatorConventionRegistry.RegisterType(typeof(Apple));
             options.Registry.DiscriminatorConventionRegistry.RegisterType(typeof(Orange));
 
diff --git a/src/Dahomey.Cbor.Tests/Issues/Issue0027.cs b/src/Dahomey.Cbor.Tests/Issues/Issue0027.cs
@@ -15,16 +15,13 @@ public class Car
         [Fact]
         public void Test()
         {
-            CborOptions options = new CborOptions();
-            options.Registry.DiscriminatorConventionRegistry.RegisterConvention(new AttributeBasedDiscriminatorConvention<string>(options.Registry));
-
             var car = new Car()
             {
                 Description = "n"
             };
 
             string hexBuffer = "A2625F7471736F6D656469736372696D696E61746F726B4465736372697074696F6E616E";
-            Helper.TestWrite(car, hexBuffer, null, options);
+            Helper.TestWrite(car, hexBuffer);
         }
     }
 }
diff --git a/src/Dahomey.Cbor.Tests/Issues/Issue0029.cs b/src/Dahomey.Cbor.Tests/Issues/Issue0029.cs
@@ -21,7 +21,6 @@ public class DummyMessageParticle : DummyParticle
         public void Test()
         {
             CborOptions options = new CborOptions();
-            options.Registry.DiscriminatorConventionRegistry.RegisterConvention(new AttributeBasedDiscriminatorConvention<string>(options.Registry));
             options.Registry.DiscriminatorConventionRegistry.RegisterType(typeof(DummyMessageParticle));
 
             // {"nonce": 2181035975144481159, "_t": "radix.particles.message"}
diff --git a/src/Dahomey.Cbor.Tests/Issues/Issue0046.cs b/src/Dahomey.Cbor.Tests/Issues/Issue0046.cs
@@ -21,7 +21,7 @@ public class Atom
         public void Test()
         {
             CborOptions options = new CborOptions();
-            options.Registry.DiscriminatorConventionRegistry.RegisterConvention(new AttributeBasedDiscriminatorConvention<string>(options.Registry, "serializer"));
+            options.Registry.DiscriminatorConventionRegistry.RegisterConvention(new DefaultDiscriminatorConvention<string>(options.Registry, "serializer"));
             options.Registry.ObjectMappingRegistry.Register<Atom>(objectMapping =>
             {
                 objectMapping.AutoMap();
diff --git a/src/Dahomey.Cbor.Tests/Issues/Issue0091.cs b/src/Dahomey.Cbor.Tests/Issues/Issue0091.cs
@@ -23,7 +23,6 @@ public record class Dog(string Color, DateTime Timestamp) : Animal(Timestamp)
         public void TestReadWrite()
         {
             CborOptions options = new CborOptions();
-            options.Registry.DiscriminatorConventionRegistry.RegisterConvention(new AttributeBasedDiscriminatorConvention<string>(options.Registry));
             options.Registry.DiscriminatorConventionRegistry.RegisterType(typeof(Dog));
 
             Dog dog = new("black", DateTime.Parse("2022-10-24T14:05:08Z", null, DateTimeStyles.RoundtripKind));
diff --git a/src/Dahomey.Cbor.Tests/ObjectMappingTests.cs b/src/Dahomey.Cbor.Tests/ObjectMappingTests.cs
@@ -172,7 +172,6 @@ public class InheritedObject : BaseObject
         public void ReadWithDiscriminator()
         {
             CborOptions options = new CborOptions();
-            options.Registry.DiscriminatorConventionRegistry.RegisterConvention(new AttributeBasedDiscriminatorConvention<string>(options.Registry));
             options.Registry.ObjectMappingRegistry.Register<InheritedObject>(objectMapping =>
                 objectMapping
                     .AutoMap()
@@ -192,7 +191,6 @@ public void ReadWithDiscriminator()
         public void WriteWithDiscriminator()
         {
             CborOptions options = new CborOptions();
-            options.Registry.DiscriminatorConventionRegistry.RegisterConvention(new AttributeBasedDiscriminatorConvention<string>(options.Registry));
             options.Registry.ObjectMappingRegistry.Register<InheritedObject>(objectMapping =>
                 objectMapping
                     .SetDiscriminator("inherited")
diff --git a/src/Dahomey.Cbor/Serialization/Conventions/AttributeBasedDiscriminatorConvention.cs b/src/Dahomey.Cbor/Serialization/Conventions/AttributeBasedDiscriminatorConvention.cs
diff --git a/src/Dahomey.Cbor/Serialization/Conventions/DefaultDiscriminatorConvention.cs b/src/Dahomey.Cbor/Serialization/Conventions/DefaultDiscriminatorConvention.cs
@@ -1,17 +1,19 @@
-﻿using Dahomey.Cbor.Util;
+﻿using Dahomey.Cbor.Serialization.Converters;
+using Dahomey.Cbor.Serialization.Converters.Mappings;
+using Dahomey.Cbor.Util;
 using System;
 using System.Collections.Concurrent;
-using System.Reflection;
-using System.Text;
 
 namespace Dahomey.Cbor.Serialization.Conventions
 {
-    public class DefaultDiscriminatorConvention : IDiscriminatorConvention
+    public class DefaultDiscriminatorConvention<T> : IDiscriminatorConvention
+        where T : notnull
     {
         private readonly SerializationRegistry _serializationRegistry;
         private readonly ReadOnlyMemory<byte> _memberName;
-        private readonly ConcurrentDictionary<string, Type> _typesByDiscriminator = new ConcurrentDictionary<string, Type>();
-        private readonly ConcurrentDictionary<Type, string> _discriminatorsByType = new ConcurrentDictionary<Type, string>();
+        private readonly ConcurrentDictionary<T, Type> _typesByDiscriminator = new();
+        private readonly ConcurrentDictionary<Type, T> _discriminatorsByType = new();
+        private readonly ICborConverter<T> _converter;
 
         public ReadOnlySpan<byte> MemberName => _memberName.Span;
 
@@ -24,69 +26,49 @@ public DefaultDiscriminatorConvention(SerializationRegistry serializationRegistr
         {
             _serializationRegistry = serializationRegistry;
             _memberName = memberName.AsBinaryMemory();
+            _converter = serializationRegistry.ConverterRegistry.Lookup<T>();
         }
 
 
         public bool TryRegisterType(Type type)
         {
+            IObjectMapping objectMapping = _serializationRegistry.ObjectMappingRegistry.Lookup(type);
+
+            if (objectMapping.Discriminator == null || objectMapping.Discriminator is not T discriminator)
+            {
+                return false;
+            }
+
+            _discriminatorsByType.TryAdd(type, discriminator);
+            _typesByDiscriminator.TryAdd(discriminator, type);
             return true;
         }
 
         public Type ReadDiscriminator(ref CborReader reader)
         {
-            string? discriminator = reader.ReadString();
+            T discriminator = _converter.Read(ref reader);
 
             if (discriminator == null)
             {
-                throw reader.BuildException("Discrimnator cannot be null or empty");
+                throw new CborException("Null discriminator");
+            }
+
+            if (!_typesByDiscriminator.TryGetValue(discriminator, out Type? type))
+            {
+                throw new CborException($"Unknown type discriminator: {discriminator}");
             }
 
-            Type type = _typesByDiscriminator.GetOrAdd(discriminator, NameToType);
             return type;
         }
 
         public void WriteDiscriminator(ref CborWriter writer, Type actualType)
         {
-            string discriminator = _discriminatorsByType.GetOrAdd(actualType, TypeToName);
-            writer.WriteString(discriminator);
-        }
-
-        private string TypeToName(Type type)
-        {
-            return type.FullName + ", " + type.Assembly.GetName().Name;
-        }
-
-        private Type NameToType(string name)
-        {
-            string[] parts = name.Split(new[] { ',', ' ' }, StringSplitOptions.RemoveEmptyEntries);
-
-            string? assemblyName;
-            string typeName;
-
-            switch (parts.Length)
-            {
-                case 1:
-                    typeName = parts[0];
-                    assemblyName = null;
-                    break;
-
-                case 2:
-                    typeName = parts[0];
-                    assemblyName = parts[1];
-                    break;
-
-                default:
-                    throw new CborException($"Invalid discriminator {name}");
-
-            }
-
-            if (!string.IsNullOrEmpty(assemblyName))
+            if (!_discriminatorsByType.TryGetValue(actualType, out T? discriminator))
             {
-                Assembly assembly = Assembly.Load(assemblyName);
-                return assembly.GetType(typeName) ?? throw new CborException($"Cannot get type from {name}");
+                throw new CborException($"Unknown discriminator for type: {actualType}");
             }
 
-            return Type.GetType(typeName) ?? throw new CborException($"Cannot get type from {name}");
+            _converter.Write(ref writer, discriminator);
         }
     }
 }
diff --git a/src/Dahomey.Cbor/Serialization/Conventions/DiscriminatorConventionRegistry.cs b/src/Dahomey.Cbor/Serialization/Conventions/DiscriminatorConventionRegistry.cs
@@ -17,7 +17,7 @@ public DiscriminatorConventionRegistry(SerializationRegistry serializationRegist
             _serializationRegistry = serializationRegistry;
 
             // order matters. It's in reverse order of how they'll get consumed
-            RegisterConvention(new DefaultDiscriminatorConvention(_serializationRegistry));
+            RegisterConvention(new DefaultDiscriminatorConvention<string>(_serializationRegistry));
         }
 
         public bool AnyConvention()
diff --git a/src/Dahomey.Cbor/Serialization/Converters/Mappings/CreatorMapping.cs b/src/Dahomey.Cbor/Serialization/Converters/Mappings/CreatorMapping.cs
@@ -226,7 +226,7 @@ private void EnsureInitialize()
                                         {
                                             memberMapping = memberMappings
                                                 .Where(m => !(m is IDiscriminatorMapping))
-                                                .FirstOrDefault(m => string.Compare(m.MemberInfo.Name, parameter.Name, ignoreCase: true) == 0);
+                                                .FirstOrDefault(m => string.Compare(m.MemberInfo!.Name, parameter.Name, ignoreCase: true) == 0);
 
                                             if (memberMapping == null || !memberMapping.MemberIndex.HasValue)
                                             {
diff --git a/src/Dahomey.Cbor/Serialization/Converters/ObjectConverter.cs b/src/Dahomey.Cbor/Serialization/Converters/ObjectConverter.cs
@@ -453,6 +453,12 @@ private void ReadItem(ref CborReader reader, ref ReaderContext context)
                         {
                             // discriminator value
                             Type actualType = _discriminatorConvention.ReadDiscriminator(ref reader);
+
+                            if (!_objectMapping.ObjectType.IsAssignableFrom(actualType))
+                            {
+                                throw new CborException($"expected type {_objectMapping.ObjectType} is not assignable from actual type {actualType}");
+                            }
+
                             context.converter = (IObjectConverter<T>)_registry.ConverterRegistry.Lookup(actualType);
                             ICreatorMapping? creatorMapping = context.converter.ObjectMapping.CreatorMapping;
                             context.creatorValues = creatorMapping != null ? new Dictionary<RawString, object>() : null;

Original file line number	Diff line number	Diff line change
`@@ -224,7 +224,6 @@ public Person(int id, string name)`
`224`	`224`	`public void InheritedClassWithConstructor()`
`225`	`225`	`{`
`226`	`226`	`CborOptions options = new CborOptions();`
`227`		`- options.Registry.DiscriminatorConventionRegistry.RegisterConvention(new AttributeBasedDiscriminatorConvention<string>(options.Registry));`
`228`	`227`	`options.Registry.DiscriminatorConventionRegistry.RegisterType(typeof(Person));`
`229`	`228`
`230`	`229`	`const string hexBuffer = "A3625F7466506572736F6E6249640C644E616D6563466F6F";`
Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,6 @@ public class Orange : Fruit`
`48`	`48`	`public void TestWrite()`
`49`	`49`	`{`
`50`	`50`	`CborOptions options = new CborOptions();`
`51`		`- options.Registry.DiscriminatorConventionRegistry.RegisterConvention(new AttributeBasedDiscriminatorConvention<string>(options.Registry));`
`52`	`51`	`options.Registry.DiscriminatorConventionRegistry.RegisterType(typeof(Apple));`
`53`	`52`	`options.Registry.DiscriminatorConventionRegistry.RegisterType(typeof(Orange));`
`54`	`53`
`@@ -62,7 +61,6 @@ public void TestWrite()`
`62`	`61`	`public void TestRead()`
`63`	`62`	`{`
`64`	`63`	`CborOptions options = new CborOptions();`
`65`		`- options.Registry.DiscriminatorConventionRegistry.RegisterConvention(new AttributeBasedDiscriminatorConvention<string>(options.Registry));`
`66`	`64`	`options.Registry.DiscriminatorConventionRegistry.RegisterType(typeof(Apple));`
`67`	`65`	`options.Registry.DiscriminatorConventionRegistry.RegisterType(typeof(Orange));`
`68`	`66`
Original file line number	Diff line number	Diff line change
`@@ -15,16 +15,13 @@ public class Car`
`15`	`15`	`[Fact]`
`16`	`16`	`public void Test()`
`17`	`17`	`{`
`18`		`- CborOptions options = new CborOptions();`
`19`		`- options.Registry.DiscriminatorConventionRegistry.RegisterConvention(new AttributeBasedDiscriminatorConvention<string>(options.Registry));`
`20`		`-`
`21`	`18`	`var car = new Car()`
`22`	`19`	`{`
`23`	`20`	`Description = "n"`
`24`	`21`	`};`
`25`	`22`
`26`	`23`	`string hexBuffer = "A2625F7471736F6D656469736372696D696E61746F726B4465736372697074696F6E616E";`
`27`		`- Helper.TestWrite(car, hexBuffer, null, options);`
	`24`	`+ Helper.TestWrite(car, hexBuffer);`
`28`	`25`	`}`
`29`	`26`	`}`
`30`	`27`	`}`
Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,6 @@ public class DummyMessageParticle : DummyParticle`
`21`	`21`	`public void Test()`
`22`	`22`	`{`
`23`	`23`	`CborOptions options = new CborOptions();`
`24`		`- options.Registry.DiscriminatorConventionRegistry.RegisterConvention(new AttributeBasedDiscriminatorConvention<string>(options.Registry));`
`25`	`24`	`options.Registry.DiscriminatorConventionRegistry.RegisterType(typeof(DummyMessageParticle));`
`26`	`25`
`27`	`26`	`// {"nonce": 2181035975144481159, "_t": "radix.particles.message"}`
Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ public class Atom`
`21`	`21`	`public void Test()`
`22`	`22`	`{`
`23`	`23`	`CborOptions options = new CborOptions();`
`24`		`- options.Registry.DiscriminatorConventionRegistry.RegisterConvention(new AttributeBasedDiscriminatorConvention<string>(options.Registry, "serializer"));`
	`24`	`+ options.Registry.DiscriminatorConventionRegistry.RegisterConvention(new DefaultDiscriminatorConvention<string>(options.Registry, "serializer"));`
`25`	`25`	`options.Registry.ObjectMappingRegistry.Register<Atom>(objectMapping =>`
`26`	`26`	`{`
`27`	`27`	`objectMapping.AutoMap();`
Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,6 @@ public record class Dog(string Color, DateTime Timestamp) : Animal(Timestamp)`
`23`	`23`	`public void TestReadWrite()`
`24`	`24`	`{`
`25`	`25`	`CborOptions options = new CborOptions();`
`26`		`- options.Registry.DiscriminatorConventionRegistry.RegisterConvention(new AttributeBasedDiscriminatorConvention<string>(options.Registry));`
`27`	`26`	`options.Registry.DiscriminatorConventionRegistry.RegisterType(typeof(Dog));`
`28`	`27`
`29`	`28`	`Dog dog = new("black", DateTime.Parse("2022-10-24T14:05:08Z", null, DateTimeStyles.RoundtripKind));`