[CSHARP-4511] Allow specifying different AllowedTypes filter for serialization/deserialization Created: 01/Feb/23  Updated: 24/Mar/23  Resolved: 23/Feb/23

Status: Closed
Project: C# Driver
Component/s: None
Affects Version/s: None
Fix Version/s: 2.19.1

Type: Improvement Priority: Unknown
Reporter: Nikola Irinchev Assignee: Robert Stam
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Documentation Changes: Not Needed
Documentation Changes Summary:

1. What would you like to communicate to the user about this feature?
2. Would you like the user to see examples of the syntax and/or executable code and its output?
3. Which versions of the driver/connector does this apply to?


 Description   

CSHARP-4475 added an AllowedTypes filter to ObjectSerializer to prevent deserializing into unsafe types. However, it is currently being applied during both serialization and deserialization, which is negatively impacting the Realm .NET SDK which utilizes the object serializer in a lot of our public API. Since serialization is generally safe, regardless of the type provided, it would be beneficial to allow different filters for serializing vs deserializing using the ObjectSerializer.

Example API affected by this change are:

// Call an Atlas App Services function
Task<T> CallAsync<T>(string name, params object[] args) {}
 
// Run an aggregation pipeline through the Atlas App Services
// remote MongoDB client
Task<TProjection[]> AggregateAsync<TProjection>(params object[] pipeline) {}
 
// Invoke FindOneAndUpdate through the Atlas App Services
// remote MongoDB client
Task<TDocument> FindOneAndUpdateAsync(object filter, object updateDocument, object sort = null, object projection = null, bool upsert = false, bool returnNewDocument = false) {}

As can be seen in those examples, the arguments we're accepting are untyped objects, which we serialize to json using ObjectSerializer and we're returning objects of a concrete type, which would typically use a different serializer type.

(the reason we're using untyped API for a lot of these MongoDB operations is to allow developers the flexibility of using BsonDocument, their own POCOs representing filters/projections, or even anonymous objects - I realize this is a departure from the API exposed by the C# driver)

Decoupling the serialization from deserialization filters gives us the flexibility to accept wide range of inputs, while still protecting users from accidentally deserializing unsafe types.



 Comments   
Comment by Githook User [ 24/Mar/23 ]

Author:

{'name': 'rstam', 'email': 'robert@robertstam.org', 'username': 'rstam'}

Message: CSHARP-4511: Allow separate allowed types for deserialization and serialization.
Branch: v2.19.x
https://github.com/mongodb/mongo-csharp-driver/commit/1369f832df2eb820bcf9c69d27391da4cdc9e44a

Comment by Githook User [ 23/Feb/23 ]

Author:

{'name': 'rstam', 'email': 'robert@robertstam.org', 'username': 'rstam'}

Message: CSHARP-4511: Allow separate allowed types for deserialization and serialization.
Branch: master
https://github.com/mongodb/mongo-csharp-driver/commit/7ab71c2cee412dd28c85a060befe2a37b6302e4f

Generated at Wed Feb 07 21:48:27 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.