Skip to content

Remove unsafe Json.NET type metadata from transaction request serialization#529

Merged
StuartFerguson merged 3 commits into
mainfrom
copilot/fix-typenamhandling-security-issue
Apr 6, 2026
Merged

Remove unsafe Json.NET type metadata from transaction request serialization#529
StuartFerguson merged 3 commits into
mainfrom
copilot/fix-typenamhandling-security-issue

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 6, 2026
edited
Loading

TransactionService was serializing outbound request DTOs with TypeNameHandling.All, which causes Json.NET to emit $type metadata and is unsafe in security-sensitive paths. This change removes that behavior from the mobile transaction request pipeline and adds coverage to prevent it from reappearing.

  • Serialization change

    • Replaced the explicit JsonSerializerSettings { TypeNameHandling = TypeNameHandling.All } usage in TransactionService.SendTransactionRequest(...) with standard Json.NET serialization.
    • This keeps the request payload as plain JSON for the concrete DTOs already used by the service.

  • Regression coverage

    • Added a focused TransactionService test that captures the outbound logon request payload and verifies:
      • no $type metadata is emitted
      • expected request fields are still serialized

  • Result

    • Outgoing transaction requests no longer include polymorphic type metadata.
    • Existing request shape is preserved for the concrete request models used by the service.
// Before
String requestSerialised = JsonConvert.SerializeObject(
    request,
    new JsonSerializerSettings { TypeNameHandling = TypeNameHandling.All });

// After
String requestSerialised = JsonConvert.SerializeObject(request);

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • f.feedz.io
    • Triggering command: /opt/hostedtoolcache/CodeQL/2.25.1/x64/codeql/csharp/tools/linux64/Semmle.Autobuild.CSharp /opt/hostedtoolcache/CodeQL/2.25.1/x64/codeql/csharp/tools/linux64/Semmle.Autobuild.CSharp (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI linked an issue Apr 6, 2026 that may be closed by this pull request
[Security] TypeNameHandling All is unsafe and can lead to arbitrary code execution in the context of the process. #433
Closed
@codacy-production
Copy link
Copy Markdown

codacy-production Bot commented Apr 6, 2026
edited
Loading

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric Results
Complexity 0
Duplication 0

View in Codacy

TIP This summary will be updated as you push new changes. Give us feedback

Copilot AI changed the title [WIP] Fix TypeNameHandling All unsafe usage in TransactionService Remove unsafe Json.NET type metadata from transaction request serialization Apr 6, 2026
Copilot AI requested a review from StuartFerguson April 6, 2026 10:10
@StuartFerguson StuartFerguson marked this pull request as ready for review April 6, 2026 19:34
@StuartFerguson StuartFerguson merged commit 1aae793 into main Apr 6, 2026
11 of 12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@StuartFerguson StuartFerguson Awaiting requested review from StuartFerguson

Assignees

@StuartFerguson StuartFerguson

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security] TypeNameHandling All is unsafe and can lead to arbitrary code execution in the context of the process.

2 participants

@StuartFerguson