Hyperion v0.12.0

0.12.0 January 12 2022

• Allow explicit control over which types can be deserialized #281

We've expanded our deserialization safety check to block dangerous types from being deserialized; we recommend this method as a best practice to prevent deserialization of untrusted data. You can now create a custom deserialize layer type filter programmatically:

var typeFilter = TypeFilterBuilder.Create()
    .Include<AllowedClassA>()
    .Include<AllowedClassB>()
    .Build();
var options = SerializerOptions.Default
    .WithTypeFilter(typeFilter);
var serializer = new Serializer(options);

For complete documentation, please read the readme on filtering types for secure deserialization.

0.11.2 October 7 2021

• Fix exception thrown during deserialization when preserve object reference was turned on
  and a surrogate instance was inserted into a collection multiple times. #264
• Add support for AggregateException serialization. #266

0.11.1 August 17 2021

• Add unsafe deserialization type blacklist
• Bump Akka version from 1.4.21 to 1.4.23

We've added a deserialization safety check to block dangerous types from being deserialized.
This is done to add a layer of security from possible code injection and code execution attack.
Currently it is an all or nothing feature that can be turned on and off by using the new DisallowUnsafeTypes flag inside SerializerOptions (defaults to true).

The unsafe types that are currently blocked are:

• System.Security.Claims.ClaimsIdentity
• System.Windows.Forms.AxHost.State
• System.Windows.Data.ObjectDataProvider
• System.Management.Automation.PSObject
• System.Web.Security.RolePrincipal
• System.IdentityModel.Tokens.SessionSecurityToken
• SessionViewStateHistoryItem
• TextFormattingRunProperties
• ToolboxItemContainer
• System.Security.Principal.WindowsClaimsIdentity
• System.Security.Principal.WindowsIdentity
• System.Security.Principal.WindowsPrincipal
• System.CodeDom.Compiler.TempFileCollection
• System.IO.FileSystemInfo
• System.Activities.Presentation.WorkflowDesigner
• System.Windows.ResourceDictionary
• System.Windows.Forms.BindingSource
• Microsoft.Exchange.Management.SystemManager.WinForms.ExchangeSettingsProvider
• System.Diagnostics.Process
• System.Management.IWbemClassObjectFreeThreaded

0.11.0 July 8 2021

• Fix array of user defined structs serialization failure
• Remove dynamic keyword usage from array serializer
• Change field ordering to ordinal

Possible breaking changes

The change to the object serializer field ordering might cause a deserialization failure of persisted objects
that are serialized using the Hyperion serializer.

Please report any serialization problem that occurs after an upgrade to this version at the
issue tracker

0.10.2 June 30 2021

• Update Akka version to 1.4.21
• Add exception rethrow to help with debugging

0.10.1 April 20 2021

• Fix SerializerOptions constructor backward compatibility issue with Akka.NET

Changes:

• ea7ef0f Version 0.12.0 release
• d26d24c Merge branch 'dev'
• 87ad62d Add TypeFilter enabled benchmark (#283)
• d8c7ea1 Improve EvilDeserializationException message (#284)
• 3c7a701 Update RELEASE_NOTES.md for 0.11.3 release (#285)
• 0feacb1 Bump FluentAssertions from 6.2.0 to 6.3.0 (#280)
• 122f5af Add type filtering feature (#281)
• 7a78155 Fix SerializeStructBenchmark, Serializer not initialized (#282)
• 4ecbb05 Bump AkkaVersion from 1.4.29 to 1.4.31 (#279)
• 1296c6d Bump AkkaVersion from 1.4.27 to 1.4.29 (#278)

See More

• 35c3b9e Bump FSharp.Core from 6.0.0 to 6.0.1 (#274)
• 2ad62a2 Bump Microsoft.NET.Test.Sdk from 16.11.0 to 17.0.0 (#273)
• 6bd4be8 Bump FluentAssertions from 6.1.0 to 6.2.0 (#272)
• d8124f0 Bump AkkaVersion from 1.4.26 to 1.4.27 (#271)
• 52ec792 Use IOException instead of FileLoadException to handle #269 where an FileNotFoundExeption is thrown. (#270)

This list of changes was auto generated.