-
Type:
Bug
-
Resolution: Fixed
-
Priority:
Major - P3
-
Affects Version/s: 2.19.0
-
Component/s: LINQ3, Serialization
-
Fully Compatible
-
Not Needed
-
Summary
Projection LINQ expressions dynamically created throw InvalidCastException when the projection is applied to IFluentFind and executed in C# driver version 2.19.0.
Exception Information:
Unable to cast object of type 'MongoDB.Bson.Serialization.BsonClassMapSerializer`1[DynamicType0`2]' to type 'MongoDB.Bson.Serialization.IBsonSerializer`1[System.Object]'.
at MongoDB.Driver.Linq.Linq3Implementation.LinqProviderAdapterV3.TranslateExpressionToProjection[TInput,TOutput](Expression`1 expression, IBsonSerializer`1 inputSerializer, IBsonSerializerRegistry serializerRegistry, ExpressionTranslationOptions translationOptions)
at MongoDB.Driver.Linq.Linq3Implementation.LinqProviderAdapterV3.TranslateExpressionToFindProjection[TSource,TProjection](Expression`1 expression, IBsonSerializer`1 sourceSerializer, IBsonSerializerRegistry serializerRegistry)
at MongoDB.Driver.MongoCollectionImpl`1.CreateFindOperation[TProjection](FilterDefinition`1 filter, FindOptions`2 options)
at MongoDB.Driver.MongoCollectionImpl`1.FindAsync[TProjection](IClientSessionHandle session, FilterDefinition`1 filter, FindOptions`2 options, CancellationToken cancellationToken)
at MongoDB.Driver.MongoCollectionImpl`1.<>c_DisplayClass48_0`1.<FindAsync>b_0(IClientSessionHandle session)
at MongoDB.Driver.MongoCollectionImpl`1.<UsingImplicitSessionAsync>d__107`1.MoveNext()
at MongoDB.Driver.IAsyncCursorSourceExtensions.<ToListAsync>d__16`1.MoveNext()
at Program.<<Main>$>d__0.MoveNext() in C:\...\repos\MongoDB.Projection.Test\MongoDB.Projection.Test\Program.cs:line 52
How to Reproduce
Download the attached VS solution and run the project. The code contains comments with information regarding the issue.
Additional Background
The projection is created using a dynamically generated System.Type via IL (see attached solution). The type is similar to an anonymous type containing a subset of the actual properties defined on a specific type. The properties can be any combination of properties from the source type and are verified against the source type preventing invalid properties from being added to the projection. Once the projection Type is generated it is then used in the creation of a dynamic LINQ expression that represents the actual projection applied to the IFluentFind.
As mentioned, the projection is similar to a projection created using an anonymous type. The anonymous type projection does not throw the exception though.
The implementation described here has been in use for quite some time in our systems and has worked quite well in dozens of microservices deployed in the US and Europe. The issue was only realized recently when we updated to driver version v2.19.0. This implementation is part of a larger framework that is also used outside of MongoDB so this is a bit of a critical issue.
The issue is related to the changes made to address MongoDB .NET/C# Driver vulnerable to Deserialization of Untrusted Data · CVE-2022-48282 · GitHub Advisory Database · GitHub I assume but it isn't clear if this change was intended to prevent the scenario described in our implementation. Based on the comments made by James_Kovacs here Vulnerability CVE-2022-48282 - Working with Data / Drivers & ODMs - MongoDB Developer Community Forums it seems like it should not.
