Steeltoe icon indicating copy to clipboard operation
Steeltoe copied to clipboard
verified publisher icon SteeltoeOSS

BinaryFormatter.Serialize and BinaryFormatter.Deserialize are marked obsolete in .NET 5

Open TimHess opened this issue 5 years ago • 6 comments

Bypassed the warning for now, but we possibly should not use BinaryFormatter at all anyway

TimHess avatar Oct 28 '20 17:10 TimHess

@dtillman, @hananiel Trying to change the SimpleMessageConverter's (de)serialization to use System.Text.Json.JsonSerializer results in the following exception being thrown in tests:

System.NotSupportedException : Serialization and deserialization of 'System.Type' instances are not supported and should be avoided since they can lead to security issues.

The exception might only be related to (de)serializing certain Exceptions (I'm seeing 17 test failures with the change) but it's enough to me that I'd rather one of you take a look at it

TimHess avatar Dec 02 '20 16:12 TimHess

Need to test and make sure this runs on .NET 5 without throwing exceptions as noted in #530

jkonicki avatar Dec 07 '20 16:12 jkonicki

After further investigation the following seems like the way forward for net5.0.

BinaryFormatter is a serialization tech that has been in .NET Frameworks for years and is widely used. The security vulnerabilities have been known for a long long time. Microsoft has decided to finally address this in the upcoming .NET releases .. with NET5.0 being the first release to start addressing. Note, what is described in specific to .NET5 and not .NET Framework.

  1. BinaryFormatter is the default serialization used in Steeltoe RabbitMQ.
  2. BinaryFormatter has been marked obsolete in net5.0 resulting in a compile time warning in Steeltoe code.
  3. Microsoft introduced a killbit to disable using BF at runtime. True=Disabled, False=Enabled
  4. The default setting for the killbit, for .NET 5 apps compiled with SDK="Microsoft.NET.Sdk" is for the killbit to be set to false.
  5. The default setting for the killbit, for .NET 5 apps compiled with SDK="Microsoft.NET.Sdk.Web" is for the killbit to be set to true.
  6. The killbit can be manipulated at build time (Web SDK) using property: EnableUnsafeBinaryFormatterSerialization
  7. The killbit can be manipulated at runtime using: AppContext.SetSwitch("System.Runtime.Serialization.EnableUnsafeBinaryFormatterSerialization", true);
  8. The Microsoft plan for BF is found in dotnet/designs: https://github.com/dotnet/designs/blob/main/accepted/2020/better-obsoletion/binaryformatter-obsoletion.md
  9. NET5 apps using Steeltoe RabbitMQ in console apps will not be affected at as the killbit is not turned on by default.
  10. NET5 apps using Steeltoe RabbitMQ in ASP.NET Core apps will fail when using the default serializer (BF).
  11. ASP.NET Core apps have a couple options for dealing with failure: a. Disable the killbit (i.e. set == true), using one of the above mentioned techniques (i.e. build or runtime). b. Switch the default serializer to use Json instead of BF.

Going forward, we will need to follow Microsoft's lead on how to migrate from BF to whatever they migrate their code bases to.

dtillman avatar Dec 09 '20 19:12 dtillman

Until a more permanent solution is available, we will document the current resolution options if this is encountered in https://github.com/SteeltoeOSS/Documentation/issues/82

jkonicki avatar Dec 10 '20 16:12 jkonicki

Confirm the status in .NET 6

jkonicki avatar Jun 14 '21 15:06 jkonicki

.NET 7 puts this behind an AppContext switch to enable/disable... Looks like it will be disabled by default for .NET 7

dtillman avatar Feb 16 '22 17:02 dtillman