Skip to content

Harden transaction request deserialization by removing unsafe TypeNameHandling#1716

Merged
StuartFerguson merged 8 commits intomasterfrom
copilot/fix-typenamehandling-security-issue
Apr 7, 2026
Merged

Harden transaction request deserialization by removing unsafe TypeNameHandling#1716
StuartFerguson merged 8 commits intomasterfrom
copilot/fix-typenamehandling-security-issue

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 7, 2026
edited
Loading

  • Review the failing CI workflow and isolate the broken unit test
  • Inspect the handler and existing test coverage for unsupported transaction payloads
  • Update the unsupported-payload handler test to assert the bad-request result safely across environments
  • Run the relevant TransactionProcessor.Tests coverage after the change
  • Run validation checks on the final change

Copilot AI linked an issue Apr 7, 2026 that may be closed by this pull request
[Security] TypeNameHandling Auto is unsafe and can lead to arbitrary code execution in the context of the process. #1418
Closed
@codacy-production
Copy link
Copy Markdown

codacy-production Bot commented Apr 7, 2026
edited
Loading

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 20 complexity · 0 duplication

Metric Results
Complexity 20
Duplication 0

View in Codacy

TIP This summary will be updated as you push new changes. Give us feedback

Copilot AI changed the title [WIP] Fix security issue with TypeNameHandling Auto in JSON serializer Harden transaction request deserialization by removing unsafe TypeNameHandling Apr 7, 2026
Copilot AI requested a review from StuartFerguson April 7, 2026 09:38
@StuartFerguson
Copy link
Copy Markdown
Member

StuartFerguson commented Apr 7, 2026

@copilot code looks fine but can you address the codacy issues please

Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 7, 2026
edited
Loading

@copilot code looks fine but can you address the codacy issues please

Addressed the Codacy follow-ups in 5bde6c9. I tightened the transaction request deserialization helper to use explicit safe Newtonsoft settings and improved the failure path/messages, then re-ran the focused handler tests and the full TransactionProcessor.Tests project successfully.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • f.feedz.io
    • Triggering command: /usr/bin/dotnet dotnet test /home/REDACTED/work/TransactionProcessor/TransactionProcessor/TransactionProcessor.Tests/TransactionProcessor.Tests.csproj --no-restore -nologo --filter TransactionHandlersTests (dns block)
    • Triggering command: /usr/bin/dotnet dotnet test /home/REDACTED/work/TransactionProcessor/TransactionProcessor/TransactionProcessor.Tests/TransactionProcessor.Tests.csproj --no-restore -nologo --filter TransactionHandlersTests gsign/gh-gpgsign-linux-x86_64 (dns block)
    • Triggering command: /usr/bin/dotnet dotnet test /home/REDACTED/work/TransactionProcessor/TransactionProcessor/TransactionProcessor.Tests/TransactionProcessor.Tests.csproj --no-restore -nologo (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

@StuartFerguson StuartFerguson marked this pull request as ready for review April 7, 2026 12:44
@StuartFerguson StuartFerguson merged commit 2e47b7a into master Apr 7, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@StuartFerguson StuartFerguson Awaiting requested review from StuartFerguson

Assignees

@StuartFerguson StuartFerguson

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security] TypeNameHandling Auto is unsafe and can lead to arbitrary code execution in the context of the process.

2 participants

@StuartFerguson