akkadotnet · Arkatufus · Aug 16, 2021 · Aug 11, 2017 · Aug 11, 2017 · Aug 17, 2017
diff --git a/src/Hyperion.API.Tests/CoreApiSpec.ApproveApi.approved.txt b/src/Hyperion.API.Tests/CoreApiSpec.ApproveApi.approved.txt
@@ -350,6 +350,11 @@ namespace Hyperion.Internal
         public string Contract { get; }
         public bool ForceFullStates { get; }
     }
+    public class EvilDeserializationException : System.Security.SecurityException
+    {
+        public EvilDeserializationException(string message, string typeString) { }
+        public string BadTypeString { get; }
+    }
     [System.AttributeUsage(System.AttributeTargets.Property | System.AttributeTargets.Field | System.AttributeTargets.Parameter | System.AttributeTargets.All)]
     public sealed class HtmlAttributeValueAttribute : System.Attribute
     {

diff --git a/src/Hyperion.Tests/ExpressionTests.cs b/src/Hyperion.Tests/ExpressionTests.cs
@@ -9,6 +9,7 @@
 
 using System;
 using System.Collections.Generic;
+using System.Diagnostics;
 using System.IO;
 using System.Linq;
 using System.Linq.Expressions;

diff --git a/src/Hyperion.Tests/UnsafeDeserializationExclusionTests.cs b/src/Hyperion.Tests/UnsafeDeserializationExclusionTests.cs
@@ -0,0 +1,26 @@
+using System.IO;
+using Hyperion.Extensions;
+using Hyperion.Internal;
+using Xunit;
+
+namespace Hyperion.Tests
+{
+    public class UnsafeDeserializationExclusionTests
+    {
+        [Fact]
+        public void CantDeserializeANaughtyType()
+        {
+            //System.Diagnostics.Process p = new Process();
+            var serializer = new Hyperion.Serializer();
+            var di =new System.IO.DirectoryInfo(@"c:\");
+
+            using (var stream = new MemoryStream())
+            {
+                serializer.Serialize(di, stream);
+                stream.Position = 0;
+                Assert.Throws<EvilDeserializationException>(() =>
+                    serializer.Deserialize<DirectoryInfo>(stream));
+            }
+        }
+    }
+}
diff --git a/src/Hyperion/Extensions/TypeEx.cs b/src/Hyperion/Extensions/TypeEx.cs
@@ -10,10 +10,12 @@
 using System;
 using System.Collections.Concurrent;
 using System.Collections.Generic;
+using System.Collections.ObjectModel;
 using System.IO;
 using System.Linq;
 using System.Reflection;
 using System.Text.RegularExpressions;
+using Hyperion.Internal;
 
 namespace Hyperion.Extensions
 {
@@ -132,19 +134,82 @@ private static Type GetTypeFromManifestName(Stream stream, DeserializerSession s
             });
         }
 
+        public static bool disallowUnsafeTypes = true;
+
+        private static ReadOnlyCollection<string> unsafeTypesDenySet =
+            new ReadOnlyCollection<string>(new[]
+            {
+                "System.Security.Claims.ClaimsIdentity",
+                "System.Windows.Forms.AxHost.State",
+                "System.Windows.Data.ObjectDataProvider",
+                "System.Management.Automation.PSObject",
+                "System.Web.Security.RolePrincipal",
+                "System.IdentityModel.Tokens.SessionSecurityToken",
+                "SessionViewStateHistoryItem",
+                "TextFormattingRunProperties",
+                "ToolboxItemContainer",
+                "System.Security.Principal.WindowsClaimsIdentity",
+                "System.Security.Principal.WindowsIdentity",
+                "System.Security.Principal.WindowsPrincipal",
+                "System.CodeDom.Compiler.TempFileCollection",
+                "System.IO.FileSystemInfo",
+                "System.Activities.Presentation.WorkflowDesigner",
+                "System.Windows.ResourceDictionary",
+                "System.Windows.Forms.BindingSource",
+                "Microsoft.Exchange.Management.SystemManager.WinForms.ExchangeSettingsProvider",
+                "System.Diagnostics.Process",
+                "System.Management.IWbemClassObjectFreeThreaded"
+            });
+
+#if NETSTANDARD1_6
+#else
+        public static bool UnsafeInheritanceCheck(Type type)
+        {
+            if (type.IsValueType)
+                return false;
+            var currentBase = type.BaseType;
+            while (currentBase != typeof(object))
+            {
+                if (unsafeTypesDenySet.Any(r => currentBase.FullName.Contains(r)))
+                    return true;
+                currentBase = currentBase.BaseType;
+            }
+
+            return false;
+        }
+     #endif    
         public static Type LoadTypeByName(string name)
         {
+            if (disallowUnsafeTypes && unsafeTypesDenySet.Any(r => name.Contains(r)))
+            {
+                throw new EvilDeserializationException(
+                    "Unsafe Type Deserialization Detected!", name);
+            }
             try
             {
                 // Try to load type name using strict version to avoid possible conflicts
                 // i.e. if there are different version available in GAC and locally
                 var typename = ToQualifiedAssemblyName(name, ignoreAssemblyVersion: false);
-                return Type.GetType(typename, true);
+                var type = Type.GetType(typename, true);
+#if  NETSTANDARD1_6
+                #else
+                if (UnsafeInheritanceCheck(type))
+                    throw new EvilDeserializationException(
+                        "Unsafe Type Deserialization Detected!", name);
+#endif
+                return type;
             }
             catch (FileLoadException)
             {
                 var typename = ToQualifiedAssemblyName(name, ignoreAssemblyVersion: true);
-                return Type.GetType(typename, true);
+                var type =  Type.GetType(typename, true);
+#if  NETSTANDARD1_6
+#else
+                if (UnsafeInheritanceCheck(type))
+                    throw new EvilDeserializationException(
+                        "Unsafe Type Deserialization Detected!", name);
+#endif
+                return type;
             }
         }
 

diff --git a/src/Hyperion/Internal/Annotations.cs b/src/Hyperion/Internal/Annotations.cs
@@ -8,6 +8,7 @@
 #endregion
 
 using System;
+using System.Security;
 
 #pragma warning disable 1591
 // ReSharper disable UnusedMember.Global
@@ -19,6 +20,16 @@
 
 namespace Hyperion.Internal
 {
+    public class EvilDeserializationException : SecurityException
+    {
+        public EvilDeserializationException(string message,
+            string typeString) : base(message)
+        {
+            BadTypeString = typeString;
+        }
+
+        public string BadTypeString { get; }
+    }
     /// <summary>
     /// Indicates that the value of the marked element could be <c>null</c> sometimes,
     /// so the check for <c>null</c> is necessary before its usage.

diff --git a/src/Hyperion/ValueSerializers/TypeSerializer.cs b/src/Hyperion/ValueSerializers/TypeSerializer.cs
@@ -8,6 +8,7 @@
 #endregion
 
 using System;
+using System.Collections.Concurrent;
 using System.IO;
 using Hyperion.Extensions;
 
@@ -60,13 +61,16 @@ public override void WriteValue(Stream stream, object value, SerializerSession s
             }
         }
 
+        private static readonly ConcurrentDictionary<string, Type> TypeNameLookup =
+            new ConcurrentDictionary<string, Type>();
         public override object ReadValue(Stream stream, DeserializerSession session)
         {
             var shortname = stream.ReadString(session);
             if (shortname == null)
                 return null;
 
-            var type = TypeEx.LoadTypeByName(shortname);
+            var type = TypeNameLookup.GetOrAdd(shortname,
+                name => TypeEx.LoadTypeByName(shortname));
 
             //add the deserialized type to lookup
             if (session.Serializer.Options.PreserveObjectReferences)