Adds comment about the security of TypeNameHandling.All

2019-06-26 12:50:42 +10:00 · 2019-06-26 12:50:42 +10:00 · 32998b9e3c
parent 3fc4bee7e2
commit 32998b9e3c
1 changed files with 4 additions and 0 deletions
--- a/src/SignalR/server/SignalR/test/HubConnectionHandlerTests.cs
+++ b/src/SignalR/server/SignalR/test/HubConnectionHandlerTests.cs
@ -3595,6 +3595,10 @@ namespace Microsoft.AspNetCore.SignalR.Tests
                {
                    PayloadSerializerSettings = new JsonSerializerSettings()
                    {
+                        // The usage of TypeNameHandling.All is a security risk.
+                        // If you're implementing this in your own application instead use your own 'type' field and a custom JsonConverter
+                        // or ensure you're restricting to only known types with a custom SerializationBinder like we are here.
+                        // See https://github.com/aspnet/AspNetCore/issues/11495#issuecomment-505047422
                        TypeNameHandling = TypeNameHandling.All,
                        SerializationBinder = StreamingHub.DerivedParameterKnownTypesBinder.Instance
                    }