From d7a5239969307b21d2bc1e5a21fb8f5ba038fdb8 Mon Sep 17 00:00:00 2001 From: Pedro Debevere Date: Tue, 16 Sep 2025 08:39:37 +0200 Subject: [PATCH 1/2] Added method KnownExploitableTypes.IsKnownExploitableType(string typeFullName) --- .../KnownExploitableTypesTests.cs | 27 +++++++++++++++++++ .../KnownExploitableTypes.cs | 23 ++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 SecureCoding.Test/SecureSerialization/KnownExploitableTypesTests.cs diff --git a/SecureCoding.Test/SecureSerialization/KnownExploitableTypesTests.cs b/SecureCoding.Test/SecureSerialization/KnownExploitableTypesTests.cs new file mode 100644 index 0000000..373e89e --- /dev/null +++ b/SecureCoding.Test/SecureSerialization/KnownExploitableTypesTests.cs @@ -0,0 +1,27 @@ +namespace SecureCoding.SecureSerialization.Tests +{ + using Microsoft.VisualStudio.TestTools.UnitTesting; + + [TestClass()] + public class KnownExploitableTypesTests + { + [DataTestMethod] + [DataRow("System.Data.DataSet", true)] + [DataRow("System.Security.Principal.WindowsIdentity", true)] + [DataRow("System.Management.Automation.PSObject", true)] + [DataRow("System.String", false)] + [DataRow("System.Int32", false)] + [DataRow("System.Collections.Generic.List`1", false)] + [DataRow("system.data.dataset", true)] + [DataRow("SYSTEM.SECURITY.PRINCIPAL.WINDOWSIDENTITY", true)] + [DataRow("system.management.automation.psobject", true)] + [DataRow("system.string", false)] + [DataRow("SYSTEM.INT32", false)] + public void IsKnownExploitableTypeTest(string typeFullName, bool expected) + { + bool actual = KnownExploitableTypes.IsKnownExploitableType(typeFullName); + + Assert.AreEqual(expected, actual); + } + } +} \ No newline at end of file diff --git a/SecureCoding/SecureSerialization/KnownExploitableTypes.cs b/SecureCoding/SecureSerialization/KnownExploitableTypes.cs index b82d293..8821e0b 100644 --- a/SecureCoding/SecureSerialization/KnownExploitableTypes.cs +++ b/SecureCoding/SecureSerialization/KnownExploitableTypes.cs @@ -58,6 +58,29 @@ public static bool IsKnownExploitableType(this Type type) return Contains(type); } + /// + /// Determines whether the specified type name matches a known exploitable type. + /// + /// The fully qualified name of the type to check. + /// if the specified type name matches any known exploitable type; otherwise, . + /// is . + /// is empty or consists only of whitespace. + /// A case-insensitive comparison of the type name is performed. + public static bool IsKnownExploitableType(string typeFullName) + { + if( typeFullName is null) + { + throw new ArgumentNullException(nameof(typeFullName)); + } + + if (string.IsNullOrWhiteSpace(typeFullName)) + { + throw new ArgumentException(nameof(typeFullName)); + } + + return knownExploitableTypes.Exists(t => String.Equals(typeFullName, t, StringComparison.OrdinalIgnoreCase)); + } + /// /// Adds a new exploitable type to the list of known exploitable types, if it's not already present. /// From fdb3ec62753d1be9a8389900a8d81136cdbd8008 Mon Sep 17 00:00:00 2001 From: Pedro Debevere <97611683+PedroDebevere@users.noreply.github.com> Date: Tue, 16 Sep 2025 10:26:06 +0200 Subject: [PATCH 2/2] Update SecureCoding/SecureSerialization/KnownExploitableTypes.cs Co-authored-by: Seppe Dejonckheere <114159895+SeppeDejonckheere@users.noreply.github.com> --- SecureCoding/SecureSerialization/KnownExploitableTypes.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SecureCoding/SecureSerialization/KnownExploitableTypes.cs b/SecureCoding/SecureSerialization/KnownExploitableTypes.cs index 8821e0b..171e4fd 100644 --- a/SecureCoding/SecureSerialization/KnownExploitableTypes.cs +++ b/SecureCoding/SecureSerialization/KnownExploitableTypes.cs @@ -78,7 +78,7 @@ public static bool IsKnownExploitableType(string typeFullName) throw new ArgumentException(nameof(typeFullName)); } - return knownExploitableTypes.Exists(t => String.Equals(typeFullName, t, StringComparison.OrdinalIgnoreCase)); +return knownExploitableTypes.Exists(t => t.toLower().Contains(typeFullName.toLower())); } ///