Skip to content

zyanfx/SafeDeserializationHelpers

Repository files navigation

Deserializing the untrusted data is dangerous

This tiny library tries to fix several known BinaryFormatter vulnerabilities.
See ysoserial.net project for details.

appveyor tests

Code sample

// bad: deserialization can trigger arbitrary code execution
var fmt = new BinaryFormatter();
var object = fmt.Deserialize(stream);

// better: deserialization is checked against known vulnerabilities
var fmt = new BinaryFormatter().Safe();
var object = fmt.Deserialize(stream);

Usage

TODO: publish a Nuget package