You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When attaching/constructing JsonRpc with target, all methods are registered into requestMethodToClrMethodMap. Providing more control over this process would be welcome and more safe at the same time.
Even when using separate class which provides only desired methods, also object base methods like 'ToString' are registered.
Example: registering test class with methods:
TestMethod0, TestMethod1, TestMethod2, TestMethod3
Full list of extra methods:
GetHashCode, GetType, Equals, ToString, ReferenceEquals, Finalize, MemberwiseClone, FieldSetter, FieldGetter, GetFieldInfo
This, depending on the actual implementation, is a vulnerability.
My suggestion is to provide new (or extend existing JsonRpcMethodAttribute), which is mandatory for each method published over JsonRPC.
The text was updated successfully, but these errors were encountered:
Thanks for reporting this, @VasilijP. I'm going to close this issue with a fix to block methods on System.Object.
Offering the ability to register individual methods is something we might entertain, but if you find that compelling, please file a separate issue for that.
AArnott
changed the title
There is no way how to prevent undesired methods to be registered on the target.
Methods on System.Object should not be invokable by RPC client
Aug 23, 2017
When attaching/constructing JsonRpc with target, all methods are registered into requestMethodToClrMethodMap. Providing more control over this process would be welcome and more safe at the same time.
Even when using separate class which provides only desired methods, also object base methods like 'ToString' are registered.
Example: registering test class with methods:
TestMethod0, TestMethod1, TestMethod2, TestMethod3
Full list of extra methods:
GetHashCode, GetType, Equals, ToString, ReferenceEquals, Finalize, MemberwiseClone, FieldSetter, FieldGetter, GetFieldInfo
This, depending on the actual implementation, is a vulnerability.
My suggestion is to provide new (or extend existing JsonRpcMethodAttribute), which is mandatory for each method published over JsonRPC.
The text was updated successfully, but these errors were encountered: