Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: Enhance JSON Deserialization Security - Mitigate TypeNameHandling Vulnerability #7423

Merged
merged 3 commits into from
Mar 6, 2025
Merged

Fix: Enhance JSON Deserialization Security - Mitigate TypeNameHandling Vulnerability #7423

merged 3 commits into from
Mar 6, 2025

Conversation

sush-101
Copy link
Contributor

@sush-101 sush-101 commented Feb 27, 2025
edited
Loading

Bug 30973440 and Bug 30973442
CodeQL issue: https://liquid.microsoft.com/codeql/issues/621b3860-9992-462a-8a9d-0a24593f51a5?copilot_promptid=E91B0CE9-0C1B-4AC2-8A46-33F49B67E058

This commit addresses a potential security vulnerability within our test code and infrastructure related to JSON deserialization by enhancing the type handling mechanism.

Issue:
The previous deserialization configuration was using TypeNameHandling.Auto in Newtonsoft.Json. TypeNameHandling.Auto allows for automatic deserialization of types based on $type metadata embedded in the JSON. If an attacker can control the JSON input, they can potentially inject malicious $type properties to instantiate arbitrary types, leading to Remote Code Execution (RCE) vulnerabilities. This is related to our test infrastructure, so the potential security impact does not include production code running on customers' devices

Fix Implemented:

To mitigate this risk, the following changes have been made:

  1. Disabled Automatic Type Name Handling (TypeNameHandling.None):

    • The TypeNameHandling setting in JsonSerializerSettings has been explicitly set to TypeNameHandling.None.
    • This is because the serialized JSON in our use case does not include $type metadata. Setting TypeNameHandling.None ensures that automatic $type processing is completely disabled, further enhancing security.

  2. Implemented Secure Deserialization with KnownTypes Whitelist:

Tested the changes in the local:

image

References:

https://liquid.microsoft.com/Web/Object/Read/ScanningToolWarnings/Requirements/CodeQL.SM02211#Zguide
https://learn.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca2326
https://liquid.microsoft.com/Web/Object/Read/MS.Security/Requirements/Microsoft.Security.SystemsADM.10010#Zguide

Azure IoT Edge PR checklist:

This checklist is used to make sure that common guidelines for a pull request are followed.

General Guidelines and Best Practices

  • I have read the contribution guidelines.
  • Title of the pull request is clear and informative.
  • Description of the pull request includes a concise summary of the enhancement or bug fix.

Testing Guidelines

  • Pull request includes test coverage for the included changes.
  • Description of the pull request includes
    • concise summary of tests added/modified
    • local testing done.

Draft PRs

  • Open the PR in Draft mode if it is:
    • Work in progress or not intended to be merged.
    • Encountering multiple pipeline failures and working on fixes.

Note: We use the kodiakhq bot to merge PRs once the necessary checks and approvals are in place. When it merges a PR, kodiakhq converts the PR title to the commit title, PR description to the commit description, and squashes all the commits in the PR to a single commit. The net effect is that entire PR becomes a single commit. Please follow the best practices mentioned here for the PR title and description

@sush-101
**Fix: Enhance JSON Deserialization Security - Mitigate TypeNameHandl…
a87c010 
…ing Vulnerability**

This commit addresses a potential security vulnerability related to JSON deserialization by enhancing the type handling mechanism.

**Issue:**

The previous deserialization configuration was using `TypeNameHandling.Auto` in Newtonsoft.Json. This setting, while convenient, introduces a significant security risk.  `TypeNameHandling.Auto` allows for automatic deserialization of types based on `$type` metadata embedded in the JSON.  If an attacker can control the JSON input, they can potentially inject malicious `$type` properties to instantiate arbitrary types, leading to Remote Code Execution (RCE) vulnerabilities.

**Fix Implemented:**

To mitigate this risk, the following changes have been made:

1.  **Implemented Secure Deserialization with KnownTypes Whitelist:**
    - Updated TypeNameSerializationBinder binder to utilize a `KnownTypes` whitelist, explicitly defining the set of allowed types that can be deserialized.
    - The deserializer is now configured to use this `SerializationBinder`, ensuring that only types present in the `KnownTypes` whitelist are permitted for deserialization. This significantly restricts the attack surface and prevents the instantiation of unauthorized or potentially malicious types.
    - This approach aligns with secure deserialization best practices and follows the guidance outlined in: [https://liquid.microsoft.com/Web/Object/Read/MS.Security/Requirements/Microsoft.Security.SystemsADM.10010#Zguide](https://liquid.microsoft.com/Web/Object/Read/MS.Security/Requirements/Microsoft.Security.SystemsADM.10010#Zguide)

2.  **Disabled Automatic Type Name Handling (`TypeNameHandling.None`):**
    - The `TypeNameHandling` setting in `JsonSerializerSettings` has been explicitly set to `TypeNameHandling.None`.
    - This is because the serialized JSON in our use case does not intentionally include `$type` metadata.  Setting `TypeNameHandling.None` ensures that automatic `$type` processing is completely disabled, further enhancing security and aligning with the explicit type control implemented by the `SerializationBinder`.
tanmay-yerunkar-ms
tanmay-yerunkar-ms previously approved these changes Feb 27, 2025
View reviewed changes
Copy link
Contributor

@tanmay-yerunkar-ms tanmay-yerunkar-ms left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me

@sush-101 sush-101 requested a review from yophilav February 27, 2025 09:16
damonbarry
damonbarry reviewed Feb 27, 2025
View reviewed changes
Copy link
Member

@damonbarry damonbarry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the PR description, can you make it clear that this is in test code, so the potential security impact does not include production code running on customers' devices?

@sush-101 sush-101 marked this pull request as ready for review March 6, 2025 08:54
@kodiakhq kodiakhq bot merged commit 5274e8d into Azure:main Mar 6, 2025
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arsaha007 arsaha007 arsaha007 left review comments

@damonbarry damonbarry damonbarry approved these changes

@tanmay-yerunkar-ms tanmay-yerunkar-ms tanmay-yerunkar-ms left review comments

@yophilav yophilav Awaiting requested review from yophilav

Assignees
No one assigned
Labels
ready-to-merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sush-101 @damonbarry @arsaha007 @tanmay-yerunkar-ms