Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Methods on System.Object should not be invokable by RPC client #51

Closed
VasilijP opened this issue Aug 18, 2017 · 1 comment
Closed

Methods on System.Object should not be invokable by RPC client #51

VasilijP opened this issue Aug 18, 2017 · 1 comment
Assignees
@AArnott
Labels
bug

Comments

@VasilijP
Copy link

When attaching/constructing JsonRpc with target, all methods are registered into requestMethodToClrMethodMap. Providing more control over this process would be welcome and more safe at the same time.
Even when using separate class which provides only desired methods, also object base methods like 'ToString' are registered.

Example: registering test class with methods:
TestMethod0, TestMethod1, TestMethod2, TestMethod3

Full list of extra methods:
GetHashCode, GetType, Equals, ToString, ReferenceEquals, Finalize, MemberwiseClone, FieldSetter, FieldGetter, GetFieldInfo

This, depending on the actual implementation, is a vulnerability.

My suggestion is to provide new (or extend existing JsonRpcMethodAttribute), which is mandatory for each method published over JsonRPC.
@AArnott AArnott self-assigned this Aug 23, 2017
@AArnott AArnott added the bug label Aug 23, 2017
AArnott added a commit that referenced this issue Aug 23, 2017
@AArnott
Prevent RPC from invoking methods on System.Object
3a15062 
Fixes #51
@AArnott AArnott mentioned this issue Aug 23, 2017
Merged
@AArnott
Copy link
Member

AArnott commented Aug 23, 2017

Thanks for reporting this, @VasilijP. I'm going to close this issue with a fix to block methods on System.Object.

Offering the ability to register individual methods is something we might entertain, but if you find that compelling, please file a separate issue for that.

@AArnott AArnott changed the title There is no way how to prevent undesired methods to be registered on the target. Methods on System.Object should not be invokable by RPC client Aug 23, 2017
@AArnott AArnott mentioned this issue Aug 23, 2017
Closed
@AArnott AArnott closed this as completed Aug 24, 2017
AArnott added a commit that referenced this issue Apr 12, 2022
@AArnott
Merge pull request #51 from AArnott/procdump_faster
a8f8661 
Acquire procdump via nuget
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AArnott AArnott

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AArnott @VasilijP