C# Online Compiler | .NET Fiddle

<no name> by Anonymous

using System;
using System.Reflection;
using Newtonsoft.Json;
using Newtonsoft.Json.Serialization;

namespace SecureDeserializationDemo
{
    public class SafeClass
    {
        public object DangerousProperty { get; set; }
		public object OtherProp { get; set; }
    }

    public class MaliciousClass
    {
        public MaliciousClass()
        {
            Console.WriteLine("Malicious code executed!");
        }
    }

    public class HarmlessClass
    {
        public object Message { get; set; }

        public HarmlessClass()
        {
            Console.WriteLine("Harmless class instantiated");
        }
    }
	
	public class HarmlessClass2
    {
        public string Message { get; set; }

        public HarmlessClass2()
        {
            Console.WriteLine("Harmless2 class instantiated");
        }
    }

    public class CustomSerializationBinder : DefaultSerializationBinder
    {
        public override Type BindToType(string assemblyName, string typeName)
        {
            // Only allow deserialization of known safe types
            if (typeName == typeof(HarmlessClass).FullName)
            {
                return typeof(HarmlessClass);
            }
			
			// Only allow deserialization of known safe types
            if (typeName == typeof(HarmlessClass2).FullName)
            {
                return typeof(HarmlessClass2);
            }


            throw new JsonSerializationException($"Attempted to deserialize unauthorized type: {typeName}");
        }
    }

    class Program
    {
        static void Main(string[] args)
        {
		// Get the assembly name programmatically
            Assembly currentAssembly = Assembly.GetExecutingAssembly();
            string assemblyName = currentAssembly.GetName().Name;

            // Construct the JSON string with $type including the assembly name
            string typeName = typeof(HarmlessClass2).FullName;
            string json = $@"{{
                'DangerousProperty': {{
                    '$type': '{typeName}, {assemblyName}'
                }},
				'OtherProp': {{
                    '$type': '{typeName}, {assemblyName}'
                }}
            }}";

            Console.WriteLine("JSON payload:");
            Console.WriteLine(json);


            var settings = new JsonSerializerSettings
            {
                TypeNameHandling = TypeNameHandling.All,
                SerializationBinder = new CustomSerializationBinder()
            };

            try
            {
                var safeClass = JsonConvert.DeserializeObject<HarmlessClass>(json, settings);
                Console.WriteLine("Deserialization succeeded.");
				Console.WriteLine($"{safeClass.Message}");
            }
            catch (JsonSerializationException ex)
            {
                Console.WriteLine($"Deserialization failed: {ex.Message}");
            }
        }
    }
}

​x
 
using System;
using System.Reflection;
using Newtonsoft.Json;
using Newtonsoft.Json.Serialization;
​
namespace SecureDeserializationDemo
{
    public class SafeClass
    {
        public object DangerousProperty { get; set; }
        public object OtherProp { get; set; }
    }
​
    public class MaliciousClass
    {
        public MaliciousClass()
        {
            Console.WriteLine("Malicious code executed!");
        }
    }
​
    public class HarmlessClass
    {
        public object Message { get; set; }
​
        public HarmlessClass()
        {
            Console.WriteLine("Harmless class instantiated");
        }
    }
    
    public class HarmlessClass2
    {
        public string Message { get; set; }
​
        public HarmlessClass2()
        {
            Console.WriteLine("Harmless2 class instantiated");
        }
    }
​
    public class CustomSerializationBinder : DefaultSerializationBinder
    {
        public override Type BindToType(string assemblyName, string typeName)
        {
            // Only allow deserialization of known safe types
            if (typeName == typeof(HarmlessClass).FullName)
            {
                return typeof(HarmlessClass);
            }
            
            // Only allow deserialization of known safe types
            if (typeName == typeof(HarmlessClass2).FullName)
            {
                return typeof(HarmlessClass2);
            }
​
​
            throw new JsonSerializationException($"Attempted to deserialize unauthorized type: {typeName}");
        }
    }
​
    class Program
    {
        static void Main(string[] args)
        {
        // Get the assembly name programmatically
            Assembly currentAssembly = Assembly.GetExecutingAssembly();
            string assemblyName = currentAssembly.GetName().Name;
​
            // Construct the JSON string with $type including the assembly name
            string typeName = typeof(HarmlessClass2).FullName;
            string json = $@"{{
                'DangerousProperty': {{
                    '$type': '{typeName}, {assemblyName}'
                }},
                'OtherProp': {{
                    '$type': '{typeName}, {assemblyName}'
                }}
            }}";
​
            Console.WriteLine("JSON payload:");
            Console.WriteLine(json);
​
​
            var settings = new JsonSerializerSettings
            {
                TypeNameHandling = TypeNameHandling.All,
                SerializationBinder = new CustomSerializationBinder()
            };
​
            try
            {
                var safeClass = JsonConvert.DeserializeObject<HarmlessClass>(json, settings);
                Console.WriteLine("Deserialization succeeded.");
                Console.WriteLine($"{safeClass.Message}");
            }
            catch (JsonSerializationException ex)
            {
                Console.WriteLine($"Deserialization failed: {ex.Message}");
            }
        }
    }
}
​

View IL Code