Skip to content
This repository was archived by the owner on Jan 5, 2026. It is now read-only.

Fix CodeQL SM02211 alert - SerializationBinder#6549

Merged
tracyboehrer merged 7 commits into
mainfrom
southworks/fix/sm02211-binder-implementation
Nov 16, 2022
Merged

Fix CodeQL SM02211 alert - SerializationBinder#6549
tracyboehrer merged 7 commits into
mainfrom
southworks/fix/sm02211-binder-implementation

Conversation

@sw-joelmut
Copy link
Copy Markdown
Collaborator

@sw-joelmut sw-joelmut commented Nov 14, 2022

Fixes #6515 #6516 #6517 #6519 #6520

Description

This PR fixes the CodeQL SM02211 alert related to unsafe JsonSerializer TypeNameHandling usage.
For these cases, it implements a custom SerializationBinder, allowing only the types that are defined in the configuration or related ones.

Specific Changes

  • Adds the AllowedTypesSerializationBinder class to allow only types that are defined in the instance.
  • Adds tests for the AllowedTypesSerializationBinder class.
  • Updated BlobsStorage, AzureBlobStorage, and CosmosDbPartitionedStorage classes to implement the binder.
  • Updated BlobsTranscriptStore setting the TypeNameHandling to None.

Testing

The following image shows the tests passing successfully and the error message when a type isn't allowed by the process.
image
image

@sw-joelmut sw-joelmut added the Automation: No parity PR does not need to be applied to other languages. label Nov 14, 2022
@sw-joelmut sw-joelmut requested a review from a team as a code owner November 14, 2022 13:21
@sw-joelmut sw-joelmut closed this Nov 14, 2022
@sw-joelmut sw-joelmut reopened this Nov 14, 2022
@tracyboehrer
Copy link
Copy Markdown
Member

tracyboehrer commented Nov 14, 2022

@sw-joelmut This is getting some test failures in the storage tests. Here is one:

  Failed Microsoft.Bot.Builder.Azure.Tests.CosmosDbPartitionedStorageTests.WriteAsyncFailure [357 ms]
  Error Message:
   Assert.Throws() Failure
Expected: typeof(Microsoft.Azure.Cosmos.CosmosException)
Actual:   typeof(System.InvalidOperationException): Unable to find the following types in the 'AllowedTypes' collection.
  - <>f__AnonymousType0, Microsoft.Bot.Builder.Azure.Tests, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null

Please provide the 'AllowedTypesSerializationBinder' in the custom 'JsonSerializerSettings' instance, with the list of types to allow.

Example:
    new JsonSerializerSettings
    {
        SerializationBinder = new AllowedTypesSerializationBinder(
            new List<Type>
            {
                typeof(<>f__AnonymousType0),
            }),
    }
---- System.InvalidOperationException : Unable to find the following types in the 'AllowedTypes' collection.
  - <>f__AnonymousType0, Microsoft.Bot.Builder.Azure.Tests, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null

Please provide the 'AllowedTypesSerializationBinder' in the custom 'JsonSerializerSettings' instance, with the list of types to allow.

Example:
    new JsonSerializerSettings
    {
        SerializationBinder = new AllowedTypesSerializationBinder(
            new List<Type>
            {
                typeof(<>f__AnonymousType0),
            }),
    }
  Stack Trace:
     at Microsoft.Bot.Builder.AllowedTypesSerializationBinder.ThrowDisallowedTypesError(List`1 types) in /Users/runner/work/1/s/libraries/Microsoft.Bot.Builder/AllowedTypesSerializationBinder.cs:line 170
   at Microsoft.Bot.Builder.AllowedTypesSerializationBinder.CleanupTypes(JContainer json) in /Users/runner/work/1/s/libraries/Microsoft.Bot.Builder/AllowedTypesSerializationBinder.cs:line 148
   at Microsoft.Bot.Builder.Azure.CosmosDbPartitionedStorage.WriteAsync(IDictionary`2 changes, CancellationToken cancellationToken) in /Users/runner/work/1/s/libraries/Microsoft.Bot.Builder.Azure/CosmosDbPartitionedStorage.cs:line 220
----- Inner Stack Trace -----
   at Microsoft.Bot.Builder.AllowedTypesSerializationBinder.ThrowDisallowedTypesError(List`1 types) in /Users/runner/work/1/s/libraries/Microsoft.Bot.Builder/AllowedTypesSerializationBinder.cs:line 170
   at Microsoft.Bot.Builder.AllowedTypesSerializationBinder.CleanupTypes(JContainer json) in /Users/runner/work/1/s/libraries/Microsoft.Bot.Builder/AllowedTypesSerializationBinder.cs:line 148
   at Microsoft.Bot.Builder.Azure.CosmosDbPartitionedStorage.WriteAsync(IDictionary`2 changes, CancellationToken cancellationToken) in /Users/runner/work/1/s/libraries/Microsoft.Bot.Builder.Azure/CosmosDbPartitionedStorage.cs:line 220

@sw-joelmut
Copy link
Copy Markdown
Collaborator Author

sw-joelmut commented Nov 14, 2022

@sw-joelmut This is getting some test failures in the storage tests. Here is one:

  Failed Microsoft.Bot.Builder.Azure.Tests.CosmosDbPartitionedStorageTests.WriteAsyncFailure [357 ms]
  Error Message:
   Assert.Throws() Failure
Expected: typeof(Microsoft.Azure.Cosmos.CosmosException)
Actual:   typeof(System.InvalidOperationException): Unable to find the following types in the 'AllowedTypes' collection.
  - <>f__AnonymousType0, Microsoft.Bot.Builder.Azure.Tests, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null

Please provide the 'AllowedTypesSerializationBinder' in the custom 'JsonSerializerSettings' instance, with the list of types to allow.

Example:
    new JsonSerializerSettings
    {
        SerializationBinder = new AllowedTypesSerializationBinder(
            new List<Type>
            {
                typeof(<>f__AnonymousType0),
            }),
    }
---- System.InvalidOperationException : Unable to find the following types in the 'AllowedTypes' collection.
  - <>f__AnonymousType0, Microsoft.Bot.Builder.Azure.Tests, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null

Please provide the 'AllowedTypesSerializationBinder' in the custom 'JsonSerializerSettings' instance, with the list of types to allow.

Example:
    new JsonSerializerSettings
    {
        SerializationBinder = new AllowedTypesSerializationBinder(
            new List<Type>
            {
                typeof(<>f__AnonymousType0),
            }),
    }
  Stack Trace:
     at Microsoft.Bot.Builder.AllowedTypesSerializationBinder.ThrowDisallowedTypesError(List`1 types) in /Users/runner/work/1/s/libraries/Microsoft.Bot.Builder/AllowedTypesSerializationBinder.cs:line 170
   at Microsoft.Bot.Builder.AllowedTypesSerializationBinder.CleanupTypes(JContainer json) in /Users/runner/work/1/s/libraries/Microsoft.Bot.Builder/AllowedTypesSerializationBinder.cs:line 148
   at Microsoft.Bot.Builder.Azure.CosmosDbPartitionedStorage.WriteAsync(IDictionary`2 changes, CancellationToken cancellationToken) in /Users/runner/work/1/s/libraries/Microsoft.Bot.Builder.Azure/CosmosDbPartitionedStorage.cs:line 220
----- Inner Stack Trace -----
   at Microsoft.Bot.Builder.AllowedTypesSerializationBinder.ThrowDisallowedTypesError(List`1 types) in /Users/runner/work/1/s/libraries/Microsoft.Bot.Builder/AllowedTypesSerializationBinder.cs:line 170
   at Microsoft.Bot.Builder.AllowedTypesSerializationBinder.CleanupTypes(JContainer json) in /Users/runner/work/1/s/libraries/Microsoft.Bot.Builder/AllowedTypesSerializationBinder.cs:line 148
   at Microsoft.Bot.Builder.Azure.CosmosDbPartitionedStorage.WriteAsync(IDictionary`2 changes, CancellationToken cancellationToken) in /Users/runner/work/1/s/libraries/Microsoft.Bot.Builder.Azure/CosmosDbPartitionedStorage.cs:line 220

@tracyboehrer, we will review them and let you know once we fix them.

Thanks!

@coveralls
Copy link
Copy Markdown
Collaborator

coveralls commented Nov 15, 2022

Pull Request Test Coverage Report for Build 329473

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • 128 unchanged lines in 9 files lost coverage.
  • Overall coverage decreased (-0.0007%) to 79.057%
Files with Coverage Reduction New Missed Lines %
/libraries/AdaptiveExpressions/BuiltinFunctions/StringTransformEvaluator.cs 1 83.33%
/libraries/integration/Microsoft.Bot.Builder.Integration.AspNet.Core/ServiceCollectionExtensions.cs 1 93.55%
/libraries/Microsoft.Bot.Builder.LanguageGeneration/Evaluator.cs 1 95.42%
/libraries/Microsoft.Bot.Connector.Streaming/TaskExtensions.cs 1 82.61%
/libraries/Microsoft.Bot.Connector.Streaming/Transport/TransportHandler.cs 2 96.39%
/libraries/Microsoft.Bot.Connector/Authentication/SkillValidation.cs 7 47.3%
/libraries/Microsoft.Bot.Connector.Streaming/Session/StreamingSession.cs 8 89.62%
/libraries/Microsoft.Bot.Connector/Authentication/EmulatorValidation.cs 35 32.35%
/libraries/Microsoft.Bot.Connector/Authentication/ParameterizedBotFrameworkAuthentication.cs 72 0%
Totals Coverage Status
Change from base Build 328982: -0.0007%
Covered Lines: 25696
Relevant Lines: 32503
💛 - Coveralls

@BruceHaley
Copy link
Copy Markdown
Contributor

BruceHaley commented Nov 15, 2022

✔️ No Binary Compatibility issues for Microsoft.Bot.Builder.dll
✔️ No Binary Compatibility issues for Microsoft.Bot.Builder.Azure.dll

@sw-joelmut
Copy link
Copy Markdown
Collaborator Author

sw-joelmut commented Nov 15, 2022

@tracyboehrer, we updated the failing tests to include the new custom SerializationBinder, and now they are all passing.

@tracyboehrer tracyboehrer merged commit 1ee5f6a into main Nov 16, 2022
@tracyboehrer tracyboehrer deleted the southworks/fix/sm02211-binder-implementation branch November 16, 2022 14:03
tracyboehrer pushed a commit that referenced this pull request Feb 21, 2023
Revert "Fix CodeQL SM02211 alert - SerializationBinder (#6549)"
40a2948 
This reverts commit 1ee5f6a.
tracyboehrer added a commit that referenced this pull request Feb 23, 2023
@tracyboehrer @sw-joelmut
Reverted Storage changes for type handling (#6594)
f2c3c77 
* Revert "[#6582, #6584] Incorrect serialization of state when using Blob or CosmosDB storage in v4.19.x (#6585)"

This reverts commit e15b38d.

* Revert "Fix CodeQL SM02211 alert - SerializationBinder (#6549)"

This reverts commit 1ee5f6a.

* Skip TypeNameHandling CodeQL issue from Azure and Blobs storage (#6592)

---------

Co-authored-by: Tracy Boehrer <trboehre@microsoft.com>
Co-authored-by: Joel Mut <62260472+sw-joelmut@users.noreply.github.com>
@dependabot dependabot Bot mentioned this pull request Dec 21, 2025
Merged
This was referenced May 14, 2026
Closed
Closed
Closed
Open
Closed
Closed
Open
Closed
This was referenced May 14, 2026
Closed
Open
Closed
Open
Closed
Closed
Closed
Open
Open
Open
Open
Open
Open
Open
Closed
Open
Closed
Closed
Closed
Closed
Open
Open
Open
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@tracyboehrer tracyboehrer tracyboehrer approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Automation: No parity PR does not need to be applied to other languages.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CodeQL alert SM02211: Unsafe TypeNameHandling in microsoft/microsoft/botbuilder-dotnet/botbuilder-dotnet

4 participants

@sw-joelmut @tracyboehrer @coveralls @BruceHaley