From 32998b9e3c2483dae623a665df171b8e773b1d78 Mon Sep 17 00:00:00 2001
From: Nick Darvey <nickdarvey@outlook.com.au>
Date: Wed, 26 Jun 2019 12:50:42 +1000
Subject: [PATCH] Adds comment about the security of TypeNameHandling.All

---
 src/SignalR/server/SignalR/test/HubConnectionHandlerTests.cs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/SignalR/server/SignalR/test/HubConnectionHandlerTests.cs b/src/SignalR/server/SignalR/test/HubConnectionHandlerTests.cs
index b4aad749d2..ed17fe0702 100644
--- a/src/SignalR/server/SignalR/test/HubConnectionHandlerTests.cs
+++ b/src/SignalR/server/SignalR/test/HubConnectionHandlerTests.cs
@@ -3595,6 +3595,10 @@ namespace Microsoft.AspNetCore.SignalR.Tests
                 {
                     PayloadSerializerSettings = new JsonSerializerSettings()
                     {
+                        // The usage of TypeNameHandling.All is a security risk.
+                        // If you're implementing this in your own application instead use your own 'type' field and a custom JsonConverter
+                        // or ensure you're restricting to only known types with a custom SerializationBinder like we are here.
+                        // See https://github.com/aspnet/AspNetCore/issues/11495#issuecomment-505047422
                         TypeNameHandling = TypeNameHandling.All,
                         SerializationBinder = StreamingHub.DerivedParameterKnownTypesBinder.Instance
                     }