Hyperion v0.11.1
0.11.1 August 17 2021
We've added a deserialization safety check to block dangerous types from being deserialized.
This is done to add a layer of security from possible code injection and code execution attack.
Currently it is an all or nothing feature that can be turned on and off by using the new DisallowUnsafeTypes flag inside SerializerOptions (defaults to true).
The unsafe types that are currently blocked are:
- System.Security.Claims.ClaimsIdentity
- System.Windows.Forms.AxHost.State
- System.Windows.Data.ObjectDataProvider
- System.Management.Automation.PSObject
- System.Web.Security.RolePrincipal
- System.IdentityModel.Tokens.SessionSecurityToken
- SessionViewStateHistoryItem
- TextFormattingRunProperties
- ToolboxItemContainer
- System.Security.Principal.WindowsClaimsIdentity
- System.Security.Principal.WindowsIdentity
- System.Security.Principal.WindowsPrincipal
- System.CodeDom.Compiler.TempFileCollection
- System.IO.FileSystemInfo
- System.Activities.Presentation.WorkflowDesigner
- System.Windows.ResourceDictionary
- System.Windows.Forms.BindingSource
- Microsoft.Exchange.Management.SystemManager.WinForms.ExchangeSettingsProvider
- System.Diagnostics.Process
- System.Management.IWbemClassObjectFreeThreaded
Changes:
- 728edc8 Version 0.11.1 Release
- 63cb41e Merge branch 'dev'
- e3b1a3d Update release notes for 0.11.1 release (#255)
- 5284534 Cleanup type blacklist PR (#254)
- 03d7826 close #251 - add Linux CI (#252)
- a7fc161 standardize Hyperion runtimes through
common.props(#253) - 3c3cc04 Add deserialization type denylist (#242) [ #69, #70 ]
- f9fc857 updated benchmarks to run on modern .NET platforms (#250)
- 2d023dc Bump Microsoft.NET.Test.Sdk from 16.10.0 to 16.11.0 (#249)
- 2ebd5c2 Bump FluentAssertions from 5.10.3 to 6.0.0 (#248)