added allowed customized types

.gitignore

@@ -6,3 +6,4 @@
 /AjaxPro/.vs/AjaxPro
 /AjaxPro/bin
 /AjaxPro/obj
+/DemoWebSite

AjaxPro/AjaxPro.csproj

@@ -11,7 +11,7 @@
     </ApplicationIcon>
     <AssemblyKeyContainerName>
     </AssemblyKeyContainerName>
-    <AssemblyName>AjaxPro</AssemblyName>
+    <AssemblyName>AjaxPro.2</AssemblyName>
     <AssemblyOriginatorKeyFile>
     </AssemblyOriginatorKeyFile>
     <DefaultClientScript>JScript</DefaultClientScript>
@@ -249,10 +249,6 @@
     <Compile Include="Security\EncryptTransformer.cs" />
     <Compile Include="Security\WebDecrypter.cs" />
     <Compile Include="Security\WebEncrypter.cs" />
-    <Compile Include="Services\AuthenticationService.cs" />
-    <Compile Include="Services\CartService.cs" />
-    <Compile Include="Services\ChatService.cs" />
-    <Compile Include="Services\ProfileService.cs" />
     <Compile Include="Utilities\AjaxSettings.cs">
       <SubType>Code</SubType>
     </Compile>
@@ -277,18 +273,11 @@
     <EmbeddedResource Include="core.js" />
   </ItemGroup>
   <ItemGroup>
-    <None Include="build_1.1.bat" />
-    <None Include="build_2.0.bat" />
     <None Include="web.config" />
   </ItemGroup>
   <ItemGroup>
-    <None Include="build.bat" />
-    <None Include="build_json.bat" />
     <EmbeddedResource Include="ms.js" />
   </ItemGroup>
-  <ItemGroup>
-    <Content Include="jquery-1.3.1.js" />
-  </ItemGroup>
   <Import Project="$(MSBuildBinPath)\Microsoft.CSharp.targets" />
   <PropertyGroup>
     <PreBuildEvent>

AjaxPro/AjaxPro.sln

@@ -1,7 +1,7 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio 15
-VisualStudioVersion = 15.0.28307.1705
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.31729.503
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AjaxPro", "AjaxPro.csproj", "{9AD42568-07A4-4D8B-9C6D-1FD54683EF4B}"
 EndProject

AjaxPro/Configuration/AjaxSettingsSectionHandler.cs

@@ -34,6 +34,7 @@
  * MS	07-04-24	added new settings (oldStyle == configuration)
  *					added provider settings
  *					added includeTypeProperty
+ * MS	21-10-27	added allowed customized types for JSON deserialization
  * 
  * 
  */
@@ -154,6 +155,24 @@ public object Create(object parent, object configContext, System.Xml.XmlNode sec
 					if (n.SelectSingleNode("@enabled") != null && n.SelectSingleNode("@enabled").InnerText == "true")
 						settings.DebugEnabled = true;
 				}
+				else if (n.Name == "jsonDeserializationCustomTypes")
+				{
+					settings.IsJsonDeserializationCustomTypesDenied = n.Attributes["default"] == null || n.Attributes["default"].InnerText.ToLower() != "allow";
+
+					foreach (XmlNode sn in n.ChildNodes)
+					{
+						switch (sn.Name)
+						{
+							case "allow":
+								settings.JsonDeserializationCustomTypesAllowed.Add(sn.InnerText);
+								break;
+
+							case "deny":
+								settings.JsonDeserializationCustomTypesDenied.Add(sn.InnerText);
+								break;
+						}
+					}
+				}
 				else if (n.Name == "oldStyle" || n.Name == "configuration")
 				{
 					foreach (XmlNode sn in n.ChildNodes)

AjaxPro/Handler/AjaxProcHelper.cs

@@ -36,14 +36,17 @@
  * MS	06-06-11	removed WebEvent because of SecurityPermissions not available in medium trust environments
  * MS	06-10-04	set UTF-8 encoding for XML documents
  * MS	07-04-24	fixed Ajax token
+ * MS	21-10-27	added allowed customized types for JSON deserialization
+ * 
  * 
  */
 using System;
 using System.Reflection;
 using System.Web;
 using System.Web.Caching;
 using System.IO;
-#if(NET20)
+using System.Collections.Generic;
+#if (NET20)
 using System.Web.Management;
 using System.Diagnostics;
 #endif
@@ -115,25 +118,6 @@ internal void Run()
 				object[] po = null;
 				object res = null;
 
-				#region Retreive Parameters from the HTTP Request
-
-				try
-				{
-					// The IAjaxProcessor will read the values either form the 
-					// request URL or the request input stream.
-
-					po = p.RetreiveParameters();
-				}
-				catch(Exception ex)
-				{
-					p.SerializeObject(ex);
-
-					if(p.Context.Trace.IsEnabled) p.Context.Trace.Write(Constant.AjaxID, "End ProcessRequest");
-					return;
-				}
-
-				#endregion 
-
 				// Check if we have the same request already in our cache. The 
 				// cacheKey will be the type and a hashcode from the parameter values.
 
@@ -151,6 +135,23 @@ internal void Run()
 					return;
 				}
 
+				#region Retreive Parameters from the HTTP Request
+
+				try
+				{
+					// The IAjaxProcessor will read the values either form the 
+					// request URL or the request input stream.
+
+					po = p.RetreiveParameters();
+				}
+				catch (Exception ex)
+				{
+					ReturnException(ex);
+					return;
+				}
+
+				#endregion
+
 				#region Reflection part of Ajax.NET
 
 				try
@@ -326,5 +327,13 @@ internal void Run()
 					winctx.Undo();
 			}
 		}
+
+		private void ReturnException(Exception ex)
+		{
+			p.SerializeObject(ex);
+
+			if (p.Context.Trace.IsEnabled) p.Context.Trace.Write(Constant.AjaxID, "End ProcessRequest");
+			return;
+		}
 	}
 }

AjaxPro/JSON/JavaScriptDeserializer.cs

@@ -36,6 +36,7 @@
  * MS	06-05-30	changed to new converter usage
  * MS	06-07-11	added generic method for DeserializeFromJson
  * MS	06-09-26	improved performance removing three-times cast
+ * MS	21-10-27	added allowed customized types for JSON deserialization
  * 
  * 
  */
@@ -212,11 +213,28 @@ public static object Deserialize(IJavaScriptObject o, Type type)
         /// <returns></returns>
 		internal static object DeserializeCustomObject(JavaScriptObject o, Type type)
 		{
-			object c = Activator.CreateInstance(type);
+			if (AjaxPro.Utility.Settings.IsJsonDeserializationCustomTypesDenied)
+			{
+				bool isCustomTypeAllowed = false;
+
+				foreach (var s in AjaxPro.Utility.Settings.JsonDeserializationCustomTypesAllowed)
+					if (type.FullName.StartsWith(s, StringComparison.InvariantCultureIgnoreCase))
+					{
+						isCustomTypeAllowed = true;
+						break;
+					}
 
-			// TODO: is this a security problem?
-			// if(o.GetType().GetCustomAttributes(typeof(AjaxClassAttribute), true).Length == 0)
-			//	throw new System.Security.SecurityException("Could not create class '" + type.FullName + "' because of missing AjaxClass attribute.");
+				if (!isCustomTypeAllowed)
+					throw new System.Security.SecurityException("This cusomized type is not allowed as argument for this method.");
+			}
+			else
+			{
+				foreach (var s in AjaxPro.Utility.Settings.JsonDeserializationCustomTypesDenied)
+					if (type.FullName.StartsWith(s, StringComparison.InvariantCultureIgnoreCase))
+						throw new System.Security.SecurityException("This cusomized type is not allowed as argument for this method.");
+			}
+
+			object c = Activator.CreateInstance(type);
 
 			MemberInfo[] members = type.GetMembers(BindingFlags.GetField | BindingFlags.GetProperty | BindingFlags.Public | BindingFlags.Instance);
 			foreach (MemberInfo memberInfo in members)