public static object DeserializeObjectFromFile_osf(string file) { IFormatter formatter = new System.Web.UI.ObjectStateFormatter(); Stream stream = new FileStream(file, FileMode.Open, FileAccess.Read, FileShare.None); object obj = formatter.Deserialize(stream); stream.Close(); return(obj); }
static void testPayload(byte[] payload, string method) { try { switch (method.ToLower()) { case "binaryformatter": System.Runtime.Serialization.Formatters.Binary.BinaryFormatter bf = new System.Runtime.Serialization.Formatters.Binary.BinaryFormatter(); bf.Deserialize(new System.IO.MemoryStream(payload)); break; case "objectstateformatter": System.Web.UI.ObjectStateFormatter osf = new System.Web.UI.ObjectStateFormatter(); osf.Deserialize(new System.IO.MemoryStream(payload)); break; case "soapformatter": System.Runtime.Serialization.Formatters.Soap.SoapFormatter sf = new System.Runtime.Serialization.Formatters.Soap.SoapFormatter(); sf.Deserialize(new System.IO.MemoryStream(payload)); break; case "losformatter": System.Web.UI.LosFormatter lf = new System.Web.UI.LosFormatter(); lf.Deserialize(new System.IO.MemoryStream(payload)); break; default: Console.WriteLine("Not supported"); break; } } catch (System.Reflection.TargetInvocationException tie) { // Internal InvalidCastException is expected } catch (ArgumentException ae) { // Internal InvalidCastException is expected } }
static void Method(string json, TypeNameHandling param) { //Unsafe 2 var data = JsonConvert.DeserializeObject <Model>(json, new JsonSerializerSettings { TypeNameHandling = TypeNameHandling.Objects }); var serializeSettings = new JsonSerializerSettings(); serializeSettings.TypeNameHandling = TypeNameHandling.All; serializeSettings.TypeNameHandling = (TypeNameHandling)2; serializeSettings = new JsonSerializerSettings { TypeNameHandling = param }; serializeSettings.TypeNameHandling = GetHandling(""); // Unsafe 5 BinaryMessageFormatter binaryMessage = new System.Messaging.BinaryMessageFormatter(); binaryMessage.Read(new Message()); // Unsafe 7 System.Web.UI.ObjectStateFormatter formatter = new System.Web.UI.ObjectStateFormatter(); formatter.Deserialize(""); formatter.Deserialize(new MemoryStream()); // Unsafe 8 XmlObjectSerializer xmlObjectSerializer = null; xmlObjectSerializer.ReadObject(new MemoryStream()); // Unsafe 11 DataContractJsonSerializer dataContractJsonSerializer = new DataContractJsonSerializer(typeof(InsecureDeserialize)); dataContractJsonSerializer.ReadObject(new MemoryStream()); dataContractJsonSerializer.ReadObject(XmlDictionaryReader.Create("")); dataContractJsonSerializer.ReadObject(XmlDictionaryReader.Create(""), false); dataContractJsonSerializer.ReadObject(XmlReader.Create("")); dataContractJsonSerializer.ReadObject(XmlReader.Create(""), false); // Unsafe 12 XmlSerializer xmlSerializer = new XmlSerializer(typeof(InsecureDeserialize)); xmlSerializer.Deserialize(new MemoryStream()); xmlSerializer.Deserialize(TextReader.Null); xmlSerializer.Deserialize(XmlReader.Create("")); xmlSerializer.Deserialize(XmlReader.Create(""), "\""); xmlSerializer.Deserialize(XmlReader.Create(""), new System.Xml.Serialization.XmlDeserializationEvents()); xmlSerializer.Deserialize(XmlReader.Create(""), "\"", new System.Xml.Serialization.XmlDeserializationEvents()); // Unsafe 13 System.Messaging.XmlMessageFormatter xmlMessageFormatter = new XmlMessageFormatter(); xmlMessageFormatter.Read(new System.Messaging.Message()); // Unsafe 14 System.Resources.ResourceReader resourceReader = new System.Resources.ResourceReader(""); resourceReader = new System.Resources.ResourceReader(new MemoryStream()); // Unsafe 15 fastJSON.JSON.ToObject(""); // Unsafe 16 ServiceStack.Text.JsonSerializer.DeserializeFromString("", typeof(InsecureDeserialize)); ServiceStack.Text.JsonSerializer.DeserializeFromReader(TextReader.Null, typeof(InsecureDeserialize)); ServiceStack.Text.JsonSerializer.DeserializeFromStream(typeof(InsecureDeserialize), new MemoryStream()); ServiceStack.Text.TypeSerializer.DeserializeFromString("", typeof(InsecureDeserialize)); ServiceStack.Text.TypeSerializer.DeserializeFromReader(TextReader.Null, typeof(InsecureDeserialize)); ServiceStack.Text.TypeSerializer.DeserializeFromStream(typeof(InsecureDeserialize), new MemoryStream()); ServiceStack.Text.CsvSerializer.DeserializeFromString(typeof(InsecureDeserialize), ""); ServiceStack.Text.CsvSerializer.DeserializeFromReader <InsecureDeserialize>(TextReader.Null); ServiceStack.Text.CsvSerializer.DeserializeFromStream(typeof(InsecureDeserialize), new MemoryStream()); ServiceStack.Text.XmlSerializer.DeserializeFromString("", typeof(InsecureDeserialize)); ServiceStack.Text.XmlSerializer.DeserializeFromReader <InsecureDeserialize>(TextReader.Null); ServiceStack.Text.XmlSerializer.DeserializeFromStream(typeof(InsecureDeserialize), new MemoryStream()); }
public void ObjectStateFormatter() { var serializer = new System.Web.UI.ObjectStateFormatter(); serializer.Deserialize(new MemoryStream()); }