Hyperion/RELEASE_NOTES.md

0.12.2 March 31 2022

• Fix deserialization type cache was shared between multiple serializer instances

0.12.1 March 23 2022

• Fix disallow-unsafe-type Akka.NET settings and harden unsafe type detection 301
• Bump Akka version from 1.4.34 to 1.4.35

0.12.0 January 12 2022

• Allow explicit control over which types can be deserialized #281

We've expanded our deserialization safety check to block dangerous types from being deserialized; we recommend this method as a best practice to prevent deserialization of untrusted data. You can now create a custom deserialize layer type filter programmatically:

var typeFilter = TypeFilterBuilder.Create()
    .Include<AllowedClassA>()
    .Include<AllowedClassB>()
    .Build();
var options = SerializerOptions.Default
    .WithTypeFilter(typeFilter);
var serializer = new Serializer(options);

For complete documentation, please read the readme on filtering types for secure deserialization.

0.11.2 October 7 2021

• Fix exception thrown during deserialization when preserve object reference was turned on and a surrogate instance was inserted into a collection multiple times. #264
• Add support for AggregateException serialization. #266

0.11.1 August 17 2021

• Add unsafe deserialization type blacklist
• Bump Akka version from 1.4.21 to 1.4.23

We've added a deserialization safety check to block dangerous types from being deserialized. This is done to add a layer of security from possible code injection and code execution attack. Currently it is an all or nothing feature that can be turned on and off by using the new DisallowUnsafeTypes flag inside SerializerOptions (defaults to true).

The unsafe types that are currently blocked are:

• System.Security.Claims.ClaimsIdentity
• System.Windows.Forms.AxHost.State
• System.Windows.Data.ObjectDataProvider
• System.Management.Automation.PSObject
• System.Web.Security.RolePrincipal
• System.IdentityModel.Tokens.SessionSecurityToken
• SessionViewStateHistoryItem
• TextFormattingRunProperties
• ToolboxItemContainer
• System.Security.Principal.WindowsClaimsIdentity
• System.Security.Principal.WindowsIdentity
• System.Security.Principal.WindowsPrincipal
• System.CodeDom.Compiler.TempFileCollection
• System.IO.FileSystemInfo
• System.Activities.Presentation.WorkflowDesigner
• System.Windows.ResourceDictionary
• System.Windows.Forms.BindingSource
• Microsoft.Exchange.Management.SystemManager.WinForms.ExchangeSettingsProvider
• System.Diagnostics.Process
• System.Management.IWbemClassObjectFreeThreaded

0.11.0 July 8 2021

• Fix array of user defined structs serialization failure
• Remove dynamic keyword usage from array serializer
• Change field ordering to ordinal

Possible breaking changes

The change to the object serializer field ordering might cause a deserialization failure of persisted objects that are serialized using the Hyperion serializer.

Please report any serialization problem that occurs after an upgrade to this version at the issue tracker

0.10.2 June 30 2021

• Update Akka version to 1.4.21
• Add exception rethrow to help with debugging

0.10.1 April 20 2021

• Fix SerializerOptions constructor backward compatibility issue with Akka.NET