[CSHARP-4581] c# driver to auto register all explicitly mapped types as allowed Created: 24/Mar/23 Updated: 18/Apr/23 Resolved: 18/Apr/23 |
|
| Status: | Closed |
| Project: | C# Driver |
| Component/s: | Serialization |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | New Feature | Priority: | Unknown |
| Reporter: | Gareth Budden | Assignee: | Unassigned |
| Resolution: | Won't Fix | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Documentation Changes Summary: | 1. What would you like to communicate to the user about this feature? |
| Description |
|
I originally posted this here before realizing it should probably have gone in Jira as a feature request?
This works, however, at the company I work we explicitly register all our types using BsonClassMap.RegisterClassMap<T>(...) to avoid accidents when serializing/deserializing. Given that we’re already being explicit about the types we want registered could the library note these types and add them to the allowed types automatically. |
| Comments |
| Comment by James Kovacs [ 18/Apr/23 ] |
|
Hi, Daniel, Apologies for the delay in response. The .NET/C# Driver uses a number of different serializers to perform BSON serialization. Which serializer is used depends on the actual and nominal types involved. If the actual type is MySagaData, but the nominal type is IContainSagaData (prior to your NServiceBus change), then the driver uses the DiscriminatedInterfaceSerializer<T>, which internally uses the ObjectSerializer. The ObjectSerializer now requires configuration of allowed types starting in 2.19.0 to avoid the .NET Framework bug (CVE-2022-48282). See After the NServiceBus change, the driver uses the BsonClassMapSerializer<T>, which is not affected by CVE-2022-48282. This is why after the NServiceBus change you do not need to register any types with explicitly registered class maps with the object serializer as being safe. The execution path no longer uses the ObjectSerializer, but instead uses the configured BsonClassMapSerializer<T>. I would encourage users of NServiceBus to upgrade to the newer version with this fix. If you are using another framework, I would suggest implementing a similar fix. If you cannot use a similar fix for whatever reason, please comment on this issue and we will reconsider this feature. Sincerely, |
| Comment by Daniel Marbach [ 28/Mar/23 ] |
|
james.kovacs@mongodb.com Did you see my comment here? It has been a while since I worked with the client, so please bear with me. But once I moved towards using the type-based overloads of the BsonSerializer that matches the class mapping we already had in place, the exceptions went away.
|
| Comment by James Kovacs [ 27/Mar/23 ] |
|
Thank you for filing this feature request. We internally call BsonClassMap.RegisterClassMap<T>(...). So we would have to implement a mechanism to differentiate between externally and internally configured BsonClassMap instances. This is totally possible and something that we will consider to ease the use of ObjectSerializer.AllowedTypes in an upcoming version. Please follow this ticket for updates. |