Adds DerivedParameterKnownTypesBinder so that we're following better practice in our tests

2019-06-26 10:35:03 +10:00 · 2019-06-26 10:35:03 +10:00 · 3fc4bee7e2
parent 47bb845d48
commit 3fc4bee7e2
2 changed files with 23 additions and 5 deletions
--- a/src/SignalR/server/SignalR/test/HubConnectionHandlerTestUtils/Hubs.cs
+++ b/src/SignalR/server/SignalR/test/HubConnectionHandlerTestUtils/Hubs.cs
@ -3,12 +3,14 @@

 using System;
 using System.Collections.Generic;
+using System.Linq;
 using System.Runtime.CompilerServices;
 using System.Text;
 using System.Threading;
 using System.Threading.Channels;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authorization;
+using Newtonsoft.Json.Serialization;

 namespace Microsoft.AspNetCore.SignalR.Tests
 {
@ -789,6 +791,25 @@ namespace Microsoft.AspNetCore.SignalR.Tests
        }

        public class DerivedParameterTestObject : DerivedParameterTestObjectBase { }
+
+        public class DerivedParameterKnownTypesBinder : ISerializationBinder
+        {
+            private static readonly IEnumerable<Type> _knownTypes = new List<Type>()
+            {
+                typeof(DerivedParameterTestObject)
+            };
+
+            public static ISerializationBinder Instance { get; } = new DerivedParameterKnownTypesBinder();
+
+            public void BindToName(Type serializedType, out string assemblyName, out string typeName)
+            {
+                assemblyName = null;
+                typeName = serializedType.Name;
+            }
+
+            public Type BindToType(string assemblyName, string typeName) =>
+                _knownTypes.Single(type => type.Name == typeName);
+        }
    }

    public class SimpleHub : Hub
--- a/src/SignalR/server/SignalR/test/HubConnectionHandlerTests.cs
+++ b/src/SignalR/server/SignalR/test/HubConnectionHandlerTests.cs
@ -3595,11 +3595,8 @@ namespace Microsoft.AspNetCore.SignalR.Tests
                {
                    PayloadSerializerSettings = new JsonSerializerSettings()
                    {
-                        // The usage of TypeNameHandling.All is a security risk.
-                        // If you're implementing this in your own application instead use your own 'type' field and a custom JsonConverter
-                        // or ensure you're restricting to only known types with a custom SerializationBinder.
-                        // See https://github.com/aspnet/AspNetCore/issues/11495#issuecomment-505047422
-                        TypeNameHandling = TypeNameHandling.All
+                        TypeNameHandling = TypeNameHandling.All,
+                        SerializationBinder = StreamingHub.DerivedParameterKnownTypesBinder.Instance
                    }
                };
                var serviceProvider = HubConnectionHandlerTestUtils.CreateServiceProvider(