Fix: Enhance JSON Deserialization Security - Mitigate TypeNameHandling Vulnerability (#7423)

sush-101 · web-flow · commit 5274e8d672ae · 2025-03-06T13:46:08.000Z
[Bug 30973440](https://msazure.visualstudio.com/One/_workitems/edit/30973440) and [Bug 30973442](https://msazure.visualstudio.com/One/_workitems/edit/30973442) CodeQL issue: https://liquid.microsoft.com/codeql/issues/621b3860-9992-462a-8a9d-0a24593f51a5?copilot_promptid=E91B0CE9-0C1B-4AC2-8A46-33F49B67E058 This commit addresses a potential security vulnerability **within our test code and infrastructure** related to JSON deserialization by enhancing the type handling mechanism. **Issue:** The previous deserialization configuration was using `TypeNameHandling.Auto` in Newtonsoft.Json. `TypeNameHandling.Auto` allows for automatic deserialization of types based on `$type` metadata embedded in the JSON. If an attacker can control the JSON input, they can potentially inject malicious `$type` properties to instantiate arbitrary types, leading to Remote Code Execution (RCE) vulnerabilities. This is related to our test infrastructure, so the potential security impact does not include production code running on customers' devices **Fix Implemented:** To mitigate this risk, the following changes have been made: 1. **Disabled Automatic Type Name Handling (`TypeNameHandling.None`):** - The `TypeNameHandling` setting in `JsonSerializerSettings` has been explicitly set to `TypeNameHandling.None`. - This is because the serialized JSON in our use case does not include `$type` metadata. Setting `TypeNameHandling.None` ensures that automatic `$type` processing is completely disabled, further enhancing security. 2. **Implemented Secure Deserialization with KnownTypes Whitelist:** - Updated TypeNameSerializationBinder binder to utilize a `KnownTypes` whitelist, explicitly defining the set of allowed types that can be deserialized. - The deserializer is now configured to use this `SerializationBinder`, ensuring that only types present in the `KnownTypes` whitelist are permitted for deserialization. This significantly restricts the attack surface and prevents the instantiation of unauthorized or potentially malicious types. - This approach aligns with secure deserialization best practices and follows the guidance outlined in: [https://liquid.microsoft.com/Web/Object/Read/MS.Security/Requirements/Microsoft.Security.SystemsADM.10010#Zguide](https://liquid.microsoft.com/Web/Object/Read/MS.Security/Requirements/Microsoft.Security.SystemsADM.10010#Zguide) and recommendation: Solution using custom ISerializationBinder: [https://liquid.microsoft.com/Web/Object/Read/ScanningToolWarnings/Requirements/CodeQL.SM02211#Zguide](https://liquid.microsoft.com/Web/Object/Read/ScanningToolWarnings/Requirements/CodeQL.SM02211#Zguide) **Tested the changes in the local:** ![image](https://github.com/user-attachments/assets/884e1f4b-aedd-42ba-9727-9d1f4089c4d2) **References:** https://liquid.microsoft.com/Web/Object/Read/ScanningToolWarnings/Requirements/CodeQL.SM02211#Zguide https://learn.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca2326 https://liquid.microsoft.com/Web/Object/Read/MS.Security/Requirements/Microsoft.Security.SystemsADM.10010#Zguide ## Azure IoT Edge PR checklist:
diff --git a/edge-agent/test/Microsoft.Azure.Devices.Edge.Agent.Integration.Test/AgentTestsBase.cs b/edge-agent/test/Microsoft.Azure.Devices.Edge.Agent.Integration.Test/AgentTestsBase.cs
@@ -38,10 +38,14 @@ public static IEnumerable<object[]> GenerateStartTestData(string testConfig)
 
             string testConfigPath = Path.Combine(TestConfigBasePath, testConfig);
             string json = File.ReadAllText(testConfigPath);
+            var knownTypesList = new List<Type>
+            {
+                typeof(ModulePriorityValidator)
+            };
             var settings = new JsonSerializerSettings()
             {
                 TypeNameHandling = TypeNameHandling.Auto,
-                SerializationBinder = new TypeNameSerializationBinder(format),
+                SerializationBinder = new TypeNameSerializationBinder(format, knownTypesList),
                 Converters = new List<JsonConverter>
                 {
                     new ModuleSetJsonConverter(),
@@ -253,7 +257,7 @@ public DeploymentConfigJsonConverter()
 
                 this.settings = new JsonSerializerSettings()
                 {
-                    TypeNameHandling = TypeNameHandling.Auto,
+                    TypeNameHandling = TypeNameHandling.None, // Security: $type is not used in json, enforcing explicit type control.
                     Converters = new List<JsonConverter>
                     {
                         new TypeSpecificJsonConverter(deserializerTypes)
@@ -313,7 +317,7 @@ public ModuleSetJsonConverter()
 
                 this.settings = new JsonSerializerSettings()
                 {
-                    TypeNameHandling = TypeNameHandling.Auto,
+                    TypeNameHandling = TypeNameHandling.None, // Security: $type is not used in json, enforcing explicit type control.
                     Converters = new List<JsonConverter>
                     {
                         new TypeSpecificJsonConverter(deserializerTypes)
diff --git a/edge-util/test/Microsoft.Azure.Devices.Edge.Util.Test.Common/TypeNameSerializationBinder.cs b/edge-util/test/Microsoft.Azure.Devices.Edge.Util.Test.Common/TypeNameSerializationBinder.cs
@@ -2,6 +2,8 @@
 namespace Microsoft.Azure.Devices.Edge.Util.Test.Common
 {
     using System;
+    using System.Collections.Generic;
+    using System.Linq;
     using Newtonsoft.Json.Serialization;
 
     /// <summary>
@@ -13,11 +15,23 @@ public class TypeNameSerializationBinder : ISerializationBinder
     {
         public readonly string TypeFormat;
 
+        // KnownTypes provides a allow-list of allowed types for deserialization, mitigating potential security vulnerabilities
+        // associated with uncontrolled type deserialization when using TypeNameHandling
+        // Secure Deserialization Best Practices: https://liquid.microsoft.com/Web/Object/Read/MS.Security/Requirements/Microsoft.Security.SystemsADM.10010#Zguide
+        // CodeQL Scanning Tool Warning: https://liquid.microsoft.com/Web/Object/Read/ScanningToolWarnings/Requirements/CodeQL.SM02211#Zguide
+        public IList<Type> KnownTypes { get; set; }
+
         public TypeNameSerializationBinder(string typeFormat)
         {
             this.TypeFormat = typeFormat;
         }
 
+        public TypeNameSerializationBinder(string typeFormat, IList<Type> knownTypes)
+        {
+            this.TypeFormat = typeFormat;
+            this.KnownTypes = knownTypes;
+        }
+
         public void BindToName(Type serializedType, out string assemblyName, out string typeName)
         {
             assemblyName = null;
@@ -26,7 +40,8 @@ public void BindToName(Type serializedType, out string assemblyName, out string
 
         public Type BindToType(string assemblyName, string typeName)
         {
-            return Type.GetType(string.Format(this.TypeFormat, typeName), true);
+            Type resolvedType = Type.GetType(string.Format(this.TypeFormat, typeName), true);
+            return this.KnownTypes.SingleOrDefault(t => t == resolvedType );
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -38,10 +38,14 @@ public static IEnumerable<object[]> GenerateStartTestData(string testConfig)`
`38`	`38`
`39`	`39`	`string testConfigPath = Path.Combine(TestConfigBasePath, testConfig);`
`40`	`40`	`string json = File.ReadAllText(testConfigPath);`
	`41`	`+ var knownTypesList = new List<Type>`
	`42`	`+ {`
	`43`	`+ typeof(ModulePriorityValidator)`
	`44`	`+ };`
`41`	`45`	`var settings = new JsonSerializerSettings()`
`42`	`46`	`{`
`43`	`47`	`TypeNameHandling = TypeNameHandling.Auto,`
`44`		`- SerializationBinder = new TypeNameSerializationBinder(format),`
	`48`	`+ SerializationBinder = new TypeNameSerializationBinder(format, knownTypesList),`
`45`	`49`	`Converters = new List<JsonConverter>`
`46`	`50`	`{`
`47`	`51`	`new ModuleSetJsonConverter(),`
`@@ -253,7 +257,7 @@ public DeploymentConfigJsonConverter()`
`253`	`257`
`254`	`258`	`this.settings = new JsonSerializerSettings()`
`255`	`259`	`{`
`256`		`- TypeNameHandling = TypeNameHandling.Auto,`
	`260`	`+ TypeNameHandling = TypeNameHandling.None, // Security: $type is not used in json, enforcing explicit type control.`
`257`	`261`	`Converters = new List<JsonConverter>`
`258`	`262`	`{`
`259`	`263`	`new TypeSpecificJsonConverter(deserializerTypes)`
`@@ -313,7 +317,7 @@ public ModuleSetJsonConverter()`
`313`	`317`
`314`	`318`	`this.settings = new JsonSerializerSettings()`
`315`	`319`	`{`
`316`		`- TypeNameHandling = TypeNameHandling.Auto,`
	`320`	`+ TypeNameHandling = TypeNameHandling.None, // Security: $type is not used in json, enforcing explicit type control.`
`317`	`321`	`Converters = new List<JsonConverter>`
`318`	`322`	`{`
`319`	`323`	`new TypeSpecificJsonConverter(deserializerTypes)`
Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,8 @@`
`2`	`2`	`namespace Microsoft.Azure.Devices.Edge.Util.Test.Common`
`3`	`3`	`{`
`4`	`4`	`using System;`
	`5`	`+ using System.Collections.Generic;`
	`6`	`+ using System.Linq;`
`5`	`7`	`using Newtonsoft.Json.Serialization;`
`6`	`8`
`7`	`9`	`/// <summary>`
`@@ -13,11 +15,23 @@ public class TypeNameSerializationBinder : ISerializationBinder`
`13`	`15`	`{`
`14`	`16`	`public readonly string TypeFormat;`
`15`	`17`
	`18`	`+ // KnownTypes provides a allow-list of allowed types for deserialization, mitigating potential security vulnerabilities`
	`19`	`+ // associated with uncontrolled type deserialization when using TypeNameHandling`
	`20`	`+ // Secure Deserialization Best Practices: https://liquid.microsoft.com/Web/Object/Read/MS.Security/Requirements/Microsoft.Security.SystemsADM.10010#Zguide`
	`21`	`+ // CodeQL Scanning Tool Warning: https://liquid.microsoft.com/Web/Object/Read/ScanningToolWarnings/Requirements/CodeQL.SM02211#Zguide`
	`22`	`+ public IList<Type> KnownTypes { get; set; }`
	`23`	`+`
`16`	`24`	`public TypeNameSerializationBinder(string typeFormat)`
`17`	`25`	`{`
`18`	`26`	`this.TypeFormat = typeFormat;`
`19`	`27`	`}`
`20`	`28`
	`29`	`+ public TypeNameSerializationBinder(string typeFormat, IList<Type> knownTypes)`
	`30`	`+ {`
	`31`	`+ this.TypeFormat = typeFormat;`
	`32`	`+ this.KnownTypes = knownTypes;`
	`33`	`+ }`
	`34`	`+`
`21`	`35`	`public void BindToName(Type serializedType, out string assemblyName, out string typeName)`
`22`	`36`	`{`
`23`	`37`	`assemblyName = null;`
`@@ -26,7 +40,8 @@ public void BindToName(Type serializedType, out string assemblyName, out string`
`26`	`40`
`27`	`41`	`public Type BindToType(string assemblyName, string typeName)`
`28`	`42`	`{`
`29`		`- return Type.GetType(string.Format(this.TypeFormat, typeName), true);`
	`43`	`+ Type resolvedType = Type.GetType(string.Format(this.TypeFormat, typeName), true);`
	`44`	`+ return this.KnownTypes.SingleOrDefault(t => t == resolvedType );`
`30`	`45`	`}`
`31`	`46`	`}`
`32`	`47`	`}`