Use System.Text.Json.JsonSerializer instead of BinaryFormatter.

https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide
6 years ago · dd19e15fb3
3 changed files with 10 additions and 135 deletions
--- a/framework/src/Volo.Abp.Serialization/Volo/Abp/Serialization/Binary/BinarySerializationHelper.cs
+++ b/framework/src/Volo.Abp.Serialization/Volo/Abp/Serialization/Binary/BinarySerializationHelper.cs
@ -1,126 +0,0 @@
-using System;
-using System.IO;
-using System.Runtime.Serialization;
-using System.Runtime.Serialization.Formatters.Binary;
-
-namespace Volo.Abp.Serialization.Binary
-{
-    /// <summary>
-    /// This class is used to simplify serialization/deserialization operations.
-    /// Uses .NET binary serialization.
-    /// </summary>
-    public static class BinarySerializationHelper
-    {
-        /// <summary>
-        /// Serializes an object and returns as a byte array.
-        /// </summary>
-        /// <param name="obj">object to be serialized</param>
-        /// <returns>bytes of object</returns>
-        public static byte[] Serialize(object obj)
-        {
-            using (var memoryStream = new MemoryStream())
-            {
-                Serialize(obj, memoryStream);
-                return memoryStream.ToArray();
-            }
-        }
-
-        /// <summary>
-        /// Serializes an object into a stream.
-        /// </summary>
-        /// <param name="obj">object to be serialized</param>
-        /// <param name="stream">Stream to serialize in</param>
-        /// <returns>bytes of object</returns>
-        public static void Serialize(object obj, Stream stream)
-        {
-            CreateBinaryFormatter().Serialize(stream, obj);
-        }
-
-        /// <summary>
-        /// Deserializes an object from given byte array.
-        /// </summary>
-        /// <param name="bytes">The byte array that contains object</param>
-        /// <returns>deserialized object</returns>
-        public static object Deserialize(byte[] bytes)
-        {
-            using (var memoryStream = new MemoryStream(bytes))
-            {
-                return Deserialize(memoryStream);
-            }
-        }
-
-        /// <summary>
-        /// Deserializes an object from given stream.
-        /// </summary>
-        /// <param name="stream">The stream that contains object</param>
-        /// <returns>deserialized object</returns> 
-        public static object Deserialize(Stream stream)
-        {
-            return CreateBinaryFormatter().Deserialize(stream);
-        }
-
-        /// <summary>
-        /// Deserializes an object from given byte array.
-        /// Difference from <see cref="Deserialize(byte[])"/> is that; this method can also deserialize
-        /// types that are defined in dynamically loaded assemblies (like PlugIns).
-        /// </summary>
-        /// <param name="bytes">The byte array that contains object</param>
-        /// <returns>deserialized object</returns>        
-        public static object DeserializeExtended(byte[] bytes)
-        {
-            using (var memoryStream = new MemoryStream(bytes))
-            {
-                return CreateBinaryFormatter(true).Deserialize(memoryStream);
-            }
-        }
-
-        /// <summary>
-        /// Deserializes an object from given stream.
-        /// Difference from <see cref="Deserialize(Stream)"/> is that; this method can also deserialize
-        /// types that are defined in dynamically loaded assemblies (like PlugIns).
-        /// </summary>
-        /// <param name="stream">The stream that contains object</param>
-        /// <returns>deserialized object</returns> 
-        public static object DeserializeExtended(Stream stream)
-        {
-            return CreateBinaryFormatter(true).Deserialize(stream);
-        }
-
-        private static BinaryFormatter CreateBinaryFormatter(bool extended = false)
-        {
-            if (extended)
-            {
-                return new BinaryFormatter
-                {
-                    //TODO: AssemblyFormat = System.Runtime.Serialization.Formatters.FormatterAssemblyStyle.Simple,
-                    Binder = new ExtendedSerializationBinder()
-                };
-            }
-            else
-            {
-                return new BinaryFormatter();
-            }
-        }
-
-        /// <summary>
-        /// This class is used in deserializing to allow deserializing objects that are defined
-        /// in assemlies that are load in runtime (like PlugIns).
-        /// </summary>
-        private sealed class ExtendedSerializationBinder : SerializationBinder
-        {
-            public override Type BindToType(string assemblyName, string typeName)
-            {
-                var toAssemblyName = assemblyName.Split(',')[0];
-                foreach (var assembly in AppDomain.CurrentDomain.GetAssemblies())
-                {
-                    if (assembly.FullName.Split(',')[0] == toAssemblyName)
-                    {
-                        return assembly.GetType(typeName);
-                    }
-                }
-
-                return Type.GetType(string.Format("{0}, {1}", typeName, assemblyName));
-            }
-        }
-    }
-}
--- a/framework/src/Volo.Abp.Serialization/Volo/Abp/Serialization/DefaultObjectSerializer.cs
+++ b/framework/src/Volo.Abp.Serialization/Volo/Abp/Serialization/DefaultObjectSerializer.cs
@ -1,8 +1,8 @@
 using System;
+using System.Text.Json;
 using JetBrains.Annotations;
 using Microsoft.Extensions.DependencyInjection;
 using Volo.Abp.DependencyInjection;
-using Volo.Abp.Serialization.Binary;

 namespace Volo.Abp.Serialization
 {
@ -58,12 +58,12 @@ namespace Volo.Abp.Serialization

        protected virtual byte[] AutoSerialize<T>(T obj)
        {
-            return BinarySerializationHelper.Serialize(obj);
+            return JsonSerializer.SerializeToUtf8Bytes(obj);
        }

        protected virtual T AutoDeserialize<T>(byte[] bytes)
        {
-            return (T) BinarySerializationHelper.DeserializeExtended(bytes);
+            return JsonSerializer.Deserialize<T>(bytes);
        }
    }
-}
+}
--- a/framework/test/Volo.Abp.Serialization.Tests/Volo/Abp/Serialization/Objects/CarSerializer.cs
+++ b/framework/test/Volo.Abp.Serialization.Tests/Volo/Abp/Serialization/Objects/CarSerializer.cs
@ -1,5 +1,6 @@
-using Volo.Abp.DependencyInjection;
-using Volo.Abp.Serialization.Binary;
+using System.Text.Json;
+using Volo.Abp.DependencyInjection;
+

 namespace Volo.Abp.Serialization.Objects
 {
@ -8,14 +9,14 @@ namespace Volo.Abp.Serialization.Objects
        public byte[] Serialize(Car obj)
        {
            obj.Name += "-serialized";
-            return BinarySerializationHelper.Serialize(obj);
+            return JsonSerializer.SerializeToUtf8Bytes(obj);
        }

        public Car Deserialize(byte[] bytes)
        {
-            var car = (Car)BinarySerializationHelper.DeserializeExtended(bytes);
+            var car = JsonSerializer.Deserialize<Car>(bytes);
            car.Name += "-deserialized";
            return car;
        }
    }
-}
+}