Fixing the use of insecure deserializers
BinaryFormatter
is one of the types that an ASP.NET developer can use to serialize and deserialize data. Microsoft's official BinaryFormatter Security Guide documentation has a strict warning about the use of BinaryFormatter
as a deserializer. BinaryFormatter
is an insecure type to utilize because this deserializer does not check the type that it deserializes.
Getting ready
We will use the Online Banking app we used in the previous recipe. Using VS Code, open the sample OnlineBankingApp
folder at \Chapter09\insecure-deserializer\before\OnlineBankingApp\
.
You can perform the steps in this folder to fix the use of an insecure deserializer.
How to do it…
Let's take a look at the steps for this recipe.
- Open
Pages\Loans\Upload.cshtml.cs
and examine the code in theOnPostAsync
method that makes use of the dangerousBinaryFormatter
class to deserializeFileStream
:public async Task OnPostAsync() { ...