From 2682e741e48403ed98152fd9942068ad95977170 Mon Sep 17 00:00:00 2001 From: Clement Fauchere Date: Wed, 3 Apr 2024 14:28:45 -0500 Subject: [PATCH 1/5] back port fix for CVE-2022-23535 --- LiteDB/LiteDB.csproj | 14 +++++++------- LiteDB/Mapper/BsonMapper.Deserialize.cs | 22 +++++++++++++++++++--- LiteDB/Utils/LiteException.cs | 14 ++++++++++++++ 3 files changed, 40 insertions(+), 10 deletions(-) diff --git a/LiteDB/LiteDB.csproj b/LiteDB/LiteDB.csproj index d3e245ddb..8a2ca2725 100644 --- a/LiteDB/LiteDB.csproj +++ b/LiteDB/LiteDB.csproj @@ -1,18 +1,18 @@ - + - netstandard1.3;netstandard2.0 + netstandard2.0 - net35;net40;netstandard1.3;netstandard2.0 + net35;net40;netstandard2.0 LiteDB - 4.1.5 - 4.1.5.0 - 4.1.5 - 4.1.5 + 4.1.6 + 4.1.6.0 + 4.1.6 + 4.1.6 Maurício David LiteDB LiteDB - A lightweight embedded .NET NoSQL document store in a single datafile diff --git a/LiteDB/Mapper/BsonMapper.Deserialize.cs b/LiteDB/Mapper/BsonMapper.Deserialize.cs index d540037a5..a62088d0b 100644 --- a/LiteDB/Mapper/BsonMapper.Deserialize.cs +++ b/LiteDB/Mapper/BsonMapper.Deserialize.cs @@ -1,4 +1,4 @@ -using System; +using System; using System.Linq; using System.Collections; using System.Collections.Generic; @@ -156,9 +156,25 @@ internal object Deserialize(Type type, BsonValue value) // test if value is object and has _type if (doc.RawValue.TryGetValue("_type", out typeField)) { - type = Type.GetType(typeField.AsString); + var actualType = Type.GetType(typeField.AsString); - if (type == null) throw LiteException.InvalidTypedName(typeField.AsString); + if (actualType == null) throw LiteException.InvalidTypedName(typeField.AsString); + + // avoid initialize class that are not assignable + if (!type.IsAssignableFrom(actualType)) + { + throw LiteException.DataTypeNotAssignable(type.FullName, actualType.FullName); + } + + // avoid use of "System.Diagnostics.Process" in object type definition + // using String test to work in .netstandard 1.3 + if (actualType.FullName.Equals("System.Diagnostics.Process", StringComparison.OrdinalIgnoreCase) && + actualType.Assembly.GetName().Name.Equals("System", StringComparison.OrdinalIgnoreCase)) + { + throw LiteException.AvoidUseOfProcess(); + } + + type = actualType; } // when complex type has no definition (== typeof(object)) use Dictionary to better set values else if (type == typeof(object)) diff --git a/LiteDB/Utils/LiteException.cs b/LiteDB/Utils/LiteException.cs index e614e49d0..fd6825022 100644 --- a/LiteDB/Utils/LiteException.cs +++ b/LiteDB/Utils/LiteException.cs @@ -38,6 +38,8 @@ public class LiteException : Exception public const int INVALID_TYPED_NAME = 207; public const int NEED_RECOVER = 208; public const int PROPERTY_READ_WRITE = 209; + public const int DATA_TYPE_NOT_ASSIGNABLE = 214; + public const int AVOID_USE_OF_PROCESS = 215; #endregion @@ -207,6 +209,18 @@ internal static LiteException SyntaxError(StringScanner s, string message = "Une }; } + internal static LiteException DataTypeNotAssignable(string type1, string type2) + { + { + return new LiteException(DATA_TYPE_NOT_ASSIGNABLE, $"Data type {type1} is not assignable from data type {type2}"); return new LiteException(DATA_TYPE_NOT_ASSIGNABLE, $"Data type {type1} is not assignable from data type {type2}"); + } + } + + internal static LiteException AvoidUseOfProcess() + { + return new LiteException(AVOID_USE_OF_PROCESS, $"LiteDB do not accept System.Diagnostics.Process class in deserialize mapper"); + } + #endregion } } \ No newline at end of file From b0ea5e0e192b19d28404007664ed5d79255df6a2 Mon Sep 17 00:00:00 2001 From: mbdavid Date: Fri, 25 Oct 2019 14:02:36 -0300 Subject: [PATCH 2/5] Adding appveyor to signpath --- appveyor.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 appveyor.yml diff --git a/appveyor.yml b/appveyor.yml new file mode 100644 index 000000000..5217ddd2b --- /dev/null +++ b/appveyor.yml @@ -0,0 +1,27 @@ +version: 5.0.{build} +branches: + only: + - master + - v4 +image: Visual Studio 2017 +configuration: + - Debug + - Release +before_build: + - cmd: nuget restore LiteDB.sln +build: + project: LiteDB.sln + publish_nuget: true + verbosity: minimal +for: +- + matrix: + only: + - configuration: Release + artifacts: + - path: LiteDB\bin\Release\LiteDB*.nupkg + deploy: + - provider: Webhook + url: https://app.signpath.io/API/v1/f5b329b8-705f-4d6c-928a-19465b83716b/Integrations/AppVeyor?ProjectKey=LiteDB.git&SigningPolicyKey=release-signing + authorization: + secure: 3eLjGkpQC1wg1s5GIEqs7yk/V8OZNnpKmpwdsaloGExc5jMspM4nA7u/UlG5ugraEyXRC05ZxLU4FIfH2V2BEg== \ No newline at end of file From 913c29f739191ff848d75f6ed6f5e9e18339597e Mon Sep 17 00:00:00 2001 From: Clement Fauchere Date: Fri, 5 Apr 2024 11:20:21 -0500 Subject: [PATCH 3/5] Retarget --- LiteDB/LiteDB.csproj | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LiteDB/LiteDB.csproj b/LiteDB/LiteDB.csproj index 8a2ca2725..7360478de 100644 --- a/LiteDB/LiteDB.csproj +++ b/LiteDB/LiteDB.csproj @@ -4,7 +4,7 @@ netstandard2.0 - net35;net40;netstandard2.0 + net40;netstandard2.0 From 4f4410ed2e450bfbb1f85c3a9339d2fe12263a5e Mon Sep 17 00:00:00 2001 From: Clement Fauchere Date: Fri, 5 Apr 2024 12:08:56 -0500 Subject: [PATCH 4/5] skip signing --- appveyor.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/appveyor.yml b/appveyor.yml index 5217ddd2b..96b3496a6 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -13,15 +13,15 @@ build: project: LiteDB.sln publish_nuget: true verbosity: minimal -for: -- - matrix: - only: - - configuration: Release - artifacts: - - path: LiteDB\bin\Release\LiteDB*.nupkg - deploy: - - provider: Webhook - url: https://app.signpath.io/API/v1/f5b329b8-705f-4d6c-928a-19465b83716b/Integrations/AppVeyor?ProjectKey=LiteDB.git&SigningPolicyKey=release-signing - authorization: - secure: 3eLjGkpQC1wg1s5GIEqs7yk/V8OZNnpKmpwdsaloGExc5jMspM4nA7u/UlG5ugraEyXRC05ZxLU4FIfH2V2BEg== \ No newline at end of file +# for: +# - +# matrix: +# only: +# - configuration: Release +# artifacts: +# - path: LiteDB\bin\Release\LiteDB*.nupkg +# deploy: +# - provider: Webhook +# url: https://app.signpath.io/API/v1/f5b329b8-705f-4d6c-928a-19465b83716b/Integrations/AppVeyor?ProjectKey=LiteDB.git&SigningPolicyKey=release-signing +# authorization: +# secure: 3eLjGkpQC1wg1s5GIEqs7yk/V8OZNnpKmpwdsaloGExc5jMspM4nA7u/UlG5ugraEyXRC05ZxLU4FIfH2V2BEg== \ No newline at end of file From ae16d1f66e0f8f2ca86e9526edc2bac128574c7f Mon Sep 17 00:00:00 2001 From: Clement Fauchere Date: Fri, 5 Apr 2024 12:09:31 -0500 Subject: [PATCH 5/5] bump version --- LiteDB/LiteDB.csproj | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/LiteDB/LiteDB.csproj b/LiteDB/LiteDB.csproj index 7360478de..e8d0fef79 100644 --- a/LiteDB/LiteDB.csproj +++ b/LiteDB/LiteDB.csproj @@ -9,10 +9,10 @@ LiteDB - 4.1.6 - 4.1.6.0 - 4.1.6 - 4.1.6 + 2024.0.1-uipath + 2024.0.1 + 2024.0.1 + 2024.0.1 Maurício David LiteDB LiteDB - A lightweight embedded .NET NoSQL document store in a single datafile