[CSHARP-4581] c# driver to auto register all explicitly mapped types as allowed Created: 24/Mar/23  Updated: 18/Apr/23  Resolved: 18/Apr/23

Status: Closed
Project: C# Driver
Component/s: Serialization
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Unknown
Reporter: Gareth Budden Assignee: Unassigned
Resolution: Won't Fix Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Documentation Changes Summary:

1. What would you like to communicate to the user about this feature?
2. Would you like the user to see examples of the syntax and/or executable code and its output?
3. Which versions of the driver/connector does this apply to?


 Description   

I originally posted this here before realizing it should probably have gone in Jira as a feature request?

 
With release 2.19.0 we now have to register our types in order for them to be serialized. The suggestion in the release notes here is to do the following…

var objectSerializer = new ObjectSerializer(type => ObjectSerializer.DefaultAllowedTypes(type) || type.FullName.StartsWith("MyNamespace"));
BsonSerializer.RegisterSerializer(objectSerializer);

This works, however, at the company I work we explicitly register all our types using BsonClassMap.RegisterClassMap<T>(...) to avoid accidents when serializing/deserializing.

Given that we’re already being explicit about the types we want registered could the library note these types and add them to the allowed types automatically.



 Comments   
Comment by James Kovacs [ 18/Apr/23 ]

Hi, Daniel,

Apologies for the delay in response. The .NET/C# Driver uses a number of different serializers to perform BSON serialization. Which serializer is used depends on the actual and nominal types involved. If the actual type is MySagaData, but the nominal type is IContainSagaData (prior to your NServiceBus change), then the driver uses the DiscriminatedInterfaceSerializer<T>, which internally uses the ObjectSerializer. The ObjectSerializer now requires configuration of allowed types starting in 2.19.0 to avoid the .NET Framework bug (CVE-2022-48282). See CSHARP-4475 for more details.

After the NServiceBus change, the driver uses the BsonClassMapSerializer<T>, which is not affected by CVE-2022-48282. This is why after the NServiceBus change you do not need to register any types with explicitly registered class maps with the object serializer as being safe. The execution path no longer uses the ObjectSerializer, but instead uses the configured BsonClassMapSerializer<T>.

I would encourage users of NServiceBus to upgrade to the newer version with this fix. If you are using another framework, I would suggest implementing a similar fix. If you cannot use a similar fix for whatever reason, please comment on this issue and we will reconsider this feature.

Sincerely,
James

Comment by Daniel Marbach [ 28/Mar/23 ]

james.kovacs@mongodb.com Did you see my comment here?

https://www.mongodb.com/community/forums/t/feature-request-c-driver-to-auto-register-all-explicitly-mapped-types-as-allowed/218839/6?u=daniel_marbach

It has been a while since I worked with the client, so please bear with me. But once I moved towards using the type-based overloads of the BsonSerializer that matches the class mapping we already had in place, the exceptions went away.

 

 

Comment by James Kovacs [ 27/Mar/23 ]

Thank you for filing this feature request. We internally call BsonClassMap.RegisterClassMap<T>(...). So we would have to implement a mechanism to differentiate between externally and internally configured BsonClassMap instances. This is totally possible and something that we will consider to ease the use of ObjectSerializer.AllowedTypes in an upcoming version. Please follow this ticket for updates.

Generated at Wed Feb 07 21:48:40 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.