add important remarks to NrbfDecoder (#111286)

* add important remarks to NrbfDecoder

* add a warning about TypeName

Author: adamsitnik

src/libraries/System.Formats.Nrbf/src/System/Formats/Nrbf/ArrayRecord.cs

@@ -64,6 +64,11 @@ internal bool IsJagged
     /// </param>
     /// <returns>An array filled with the data provided in the serialized records.</returns>
     /// <exception cref="InvalidOperationException"><paramref name="expectedArrayType" /> does not match the data from the payload.</exception>
+    /// <remarks>
+    /// Check the total length of the array by using <see cref="Lengths"/> property before calling this method,
+    /// as an attacker could have sent you a small payload that will require to allocate a very large array
+    /// and potentially cause <see cref="OutOfMemoryException"/> and Denial of Service.
+    /// </remarks>
     [RequiresDynamicCode("The code for an array of the specified type might not be available.")]
     public Array GetArray(Type expectedArrayType, bool allowNulls = true)
     {

src/libraries/System.Formats.Nrbf/src/System/Formats/Nrbf/NrbfDecoder.cs

@@ -16,6 +16,10 @@ namespace System.Formats.Nrbf;
 /// <summary>
 /// Provides stateless methods for decoding .NET Remoting Binary Format (NRBF) encoded data.
 /// </summary>
+/// <remarks>
+/// NrbfDecoder is an implementation of an NRBF reader, but its behaviors don't strictly follow BinaryFormatter's implementation.
+/// Thus the output of NrbfDecoder shouldn't be used to determine whether a call to BinaryFormatter would be safe.
+/// </remarks>
 public static class NrbfDecoder
 {
     private static UTF8Encoding ThrowOnInvalidUtf8Encoding { get; } = new(false, throwOnInvalidBytes: true);

src/libraries/System.Formats.Nrbf/src/System/Formats/Nrbf/SZArrayRecord.cs

@@ -34,6 +34,11 @@ private protected SZArrayRecord(ArrayInfo arrayInfo) : base(arrayInfo)
     ///   otherwise, <see langword="false" />.
     /// </param>
     /// <returns>An array filled with the data provided in the serialized records.</returns>
+    /// <remarks>
+    /// Check the total length of the array by using <see cref="Length"/> property before calling this method,
+    /// as an attacker could have sent you a small payload that will require to allocate a very large array
+    /// and potentially cause <see cref="OutOfMemoryException"/> and Denial of Service.
+    /// </remarks>
     public abstract T?[] GetArray(bool allowNulls = true);
 
 #pragma warning disable IL3051 // RequiresDynamicCode is not required in this particualar case

src/libraries/System.Formats.Nrbf/src/System/Formats/Nrbf/SerializationRecord.cs

@@ -39,6 +39,10 @@ internal SerializationRecord() // others can't derive from this type
     /// Gets the name of the serialized type.
     /// </summary>
     /// <value>The name of the serialized type.</value>
+    /// <remarks>
+    /// Since the provided type name may originate from untrusted input,
+    /// it should not be utilized for type loading, as it could potentially load a malicious type.
+    /// </remarks>
     public abstract TypeName TypeName { get; }
 
     /// <summary>

src/libraries/System.Formats.Nrbf/src/System/Formats/Nrbf/SerializationRecordId.cs

@@ -16,6 +16,9 @@ namespace System.Formats.Nrbf;
 /// <summary>
 /// The ID of <see cref="SerializationRecord" />.
 /// </summary>
+/// <remarks>
+/// It can be used the detect cycles in decoded records.
+/// </remarks>
 [DebuggerDisplay("{_id}")]
 public readonly struct SerializationRecordId : IEquatable<SerializationRecordId>
 {