NServiceBus icon indicating copy to clipboard operation
NServiceBus copied to clipboard

Published 20 hours ago verified publisher icon Particular

DefaultDatabusSerializer is using dangerous BinaryFormatter

Open marcelvwe opened this issue 4 years ago • 2 comments

The DefaultDatabusSerializer is using the BinaryFormatter to serialize databus properties to a stream. Since july 2020, Microsoft discourages the use of the BinaryFormatter, since it is not safe to use, and can't be made safe. For reference, see https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide.

Since .NET5, the use of the BinaryFormatter is obsoleted and even disabled by default, and must be manually re-enabled (https://docs.microsoft.com/en-us/dotnet/core/compatibility/core-libraries/5.0/binaryformatter-serialization-obsolete).

The default implementation of the databus serializer uses the BinaryFormatter. I know the actual formatter can be changed, however, the interface IDatabusSerializer assumes the type information of the object to deserialize to is embedded in the serialized input. This is true when using the BinaryFormatter, however most alternative serializers expect the type to be provided when deserializing the content.

The ideal solution would be to stop using the BinaryFormatter within the NServiceBus library, possibly with a backwards compatible fallback scenario in case the databus content was serialized using the BinaryFormatter.

An alternative would be to change the IDatabusSerializer interface to provide the type information to deserialize to, for example

public interface IDataBusSerializer
{
    void Serialize(object databusProperty, Stream stream);
    object Deserialize(Type type, Stream stream);
}

instead of the current:

public interface IDataBusSerializer
{
    void Serialize(object databusProperty, Stream stream);
    object Deserialize(Stream stream);
}

What are your ideas?

marcelvwe avatar Mar 04 '21 13:03 marcelvwe

@marcelvwe thanks for reaching out and providing so much helpful information. We are currently looking in more details into this issue and will keep you posted here.

In the meantime, I wanted to point out that it is possible to replace the serializer by adding your custom version to the container. This sample also demonstrates it further

https://docs.particular.net/samples/databus/custom-serializer/

danielmarbach avatar Mar 08 '21 15:03 danielmarbach

@marcelvwe would you be able to send me some details about your company privately to daniel dot marbach at particular dot net so that I can correlate this issue internally to the related account?

danielmarbach avatar Mar 08 '21 15:03 danielmarbach

This is addressed in Version 8 see https://docs.particular.net/nservicebus/upgrades/7to8/databus

andreasohlund avatar Oct 18 '22 14:10 andreasohlund