Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update binaryformatter-security-guide.md #43435

Merged
merged 2 commits into from
Nov 13, 2024
Merged

Update binaryformatter-security-guide.md #43435

merged 2 commits into from
Nov 13, 2024

Conversation

GrabYourPitchforks
Copy link
Member

@GrabYourPitchforks GrabYourPitchforks commented Nov 12, 2024
edited by github-actions bot
Loading

Summary

Reworded a portion of the BinaryFormatter security guide after consultation with the security LT.

  • Removed the word "vulnerability" from a key paragraph. We document that BF is only intended to be used with trusted input, so we would not consider any undesired behavior caused by passing untrusted input to it to be a vulnerability.
  • Clarified that the .NET team is not committed to making code changes in response to binder bypasses or other exploits. The previous wording was somewhat ambiguous and could have been incorrectly interpreted as that .NET will still try to make code changes except when impractical to do so.

Internal previews

📄 File 🔗 Preview link
docs/standard/serialization/binaryformatter-security-guide.md Deserialization risks in use of BinaryFormatter and related types

gewarren
gewarren approved these changes Nov 12, 2024
View reviewed changes
Copy link
Contributor

@gewarren gewarren left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I left some style suggestions.

docs/standard/serialization/binaryformatter-security-guide.md Outdated Show resolved Hide resolved
@GrabYourPitchforks @gewarren
PR feedback
4e22d5d 
Co-authored-by: Genevieve Warren <[email protected]>
@GrabYourPitchforks GrabYourPitchforks merged commit ef0876b into main Nov 13, 2024
8 checks passed
@GrabYourPitchforks GrabYourPitchforks deleted the levib/bf-security-guide branch November 13, 2024 01:19
@GrabYourPitchforks
Copy link
Member Author

Thanks for the feedback! :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gewarren gewarren gewarren approved these changes

@blowdart blowdart blowdart approved these changes

@jeffhandley jeffhandley Awaiting requested review from jeffhandley

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@GrabYourPitchforks @blowdart @gewarren