Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(v4) back port fix for CVE-2022-23535 #2465

Open
wants to merge 5 commits into
base: v4
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions LiteDB/LiteDB.csproj
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
<Project Sdk="Microsoft.NET.Sdk">
<Project Sdk="Microsoft.NET.Sdk">

<PropertyGroup Condition=" '$(OS)' != 'Windows_NT' ">
<TargetFrameworks>netstandard1.3;netstandard2.0</TargetFrameworks>
<TargetFrameworks>netstandard2.0</TargetFrameworks>
</PropertyGroup>
<PropertyGroup Condition=" '$(OS)' == 'Windows_NT' ">
<TargetFrameworks>net35;net40;netstandard1.3;netstandard2.0</TargetFrameworks>
<TargetFrameworks>net40;netstandard2.0</TargetFrameworks>
</PropertyGroup>

<PropertyGroup>
<PackageId>LiteDB</PackageId>
<Version>4.1.5</Version>
<AssemblyVersion>4.1.5.0</AssemblyVersion>
<FileVersion>4.1.5</FileVersion>
<VersionPrefix>4.1.5</VersionPrefix>
<Version>2024.0.1-uipath</Version>
<AssemblyVersion>2024.0.1</AssemblyVersion>
<FileVersion>2024.0.1</FileVersion>
<VersionPrefix>2024.0.1</VersionPrefix>
<Authors>Maurício David</Authors>
<Product>LiteDB</Product>
<Description>LiteDB - A lightweight embedded .NET NoSQL document store in a single datafile</Description>
Expand Down
22 changes: 19 additions & 3 deletions LiteDB/Mapper/BsonMapper.Deserialize.cs
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
using System;
using System;
using System.Linq;
using System.Collections;
using System.Collections.Generic;
Expand Down Expand Up @@ -156,9 +156,25 @@ internal object Deserialize(Type type, BsonValue value)
// test if value is object and has _type
if (doc.RawValue.TryGetValue("_type", out typeField))
{
type = Type.GetType(typeField.AsString);
var actualType = Type.GetType(typeField.AsString);

if (type == null) throw LiteException.InvalidTypedName(typeField.AsString);
if (actualType == null) throw LiteException.InvalidTypedName(typeField.AsString);

// avoid initialize class that are not assignable
if (!type.IsAssignableFrom(actualType))
{
throw LiteException.DataTypeNotAssignable(type.FullName, actualType.FullName);
}

// avoid use of "System.Diagnostics.Process" in object type definition
// using String test to work in .netstandard 1.3
if (actualType.FullName.Equals("System.Diagnostics.Process", StringComparison.OrdinalIgnoreCase) &&
actualType.Assembly.GetName().Name.Equals("System", StringComparison.OrdinalIgnoreCase))
{
throw LiteException.AvoidUseOfProcess();
}

type = actualType;
}
// when complex type has no definition (== typeof(object)) use Dictionary<string, object> to better set values
else if (type == typeof(object))
Expand Down
14 changes: 14 additions & 0 deletions LiteDB/Utils/LiteException.cs
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@ public class LiteException : Exception
public const int INVALID_TYPED_NAME = 207;
public const int NEED_RECOVER = 208;
public const int PROPERTY_READ_WRITE = 209;
public const int DATA_TYPE_NOT_ASSIGNABLE = 214;
public const int AVOID_USE_OF_PROCESS = 215;

#endregion

Expand Down Expand Up @@ -207,6 +209,18 @@ internal static LiteException SyntaxError(StringScanner s, string message = "Une
};
}

internal static LiteException DataTypeNotAssignable(string type1, string type2)
{
{
return new LiteException(DATA_TYPE_NOT_ASSIGNABLE, $"Data type {type1} is not assignable from data type {type2}"); return new LiteException(DATA_TYPE_NOT_ASSIGNABLE, $"Data type {type1} is not assignable from data type {type2}");
}
}

internal static LiteException AvoidUseOfProcess()
{
return new LiteException(AVOID_USE_OF_PROCESS, $"LiteDB do not accept System.Diagnostics.Process class in deserialize mapper");
}

#endregion
}
}
27 changes: 27 additions & 0 deletions appveyor.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
version: 5.0.{build}
branches:
only:
- master
- v4
image: Visual Studio 2017
configuration:
- Debug
- Release
before_build:
- cmd: nuget restore LiteDB.sln
build:
project: LiteDB.sln
publish_nuget: true
verbosity: minimal
# for:
# -
# matrix:
# only:
# - configuration: Release
# artifacts:
# - path: LiteDB\bin\Release\LiteDB*.nupkg
# deploy:
# - provider: Webhook
# url: https://app.signpath.io/API/v1/f5b329b8-705f-4d6c-928a-19465b83716b/Integrations/AppVeyor?ProjectKey=LiteDB.git&SigningPolicyKey=release-signing
# authorization:
# secure: 3eLjGkpQC1wg1s5GIEqs7yk/V8OZNnpKmpwdsaloGExc5jMspM4nA7u/UlG5ugraEyXRC05ZxLU4FIfH2V2BEg==