upate tutorial; expose Disable* properties to C# wrapper lib

mbraceproject · Jul 19, 2016 · b79fedb · b79fedb
1 parent 9170814
commit b79fedb
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 0 deletions.
diff --git a/docs/content/tutorial.fsx b/docs/content/tutorial.fsx
@@ -8,6 +8,7 @@
 #r "FsPickler.Json.dll"
 
 let stream = Unchecked.defaultof<System.IO.Stream>
+let serializer = Unchecked.defaultof<Nessos.FsPickler.FsPicklerSerializer>
 let textWriter = Unchecked.defaultof<System.IO.TextWriter>
 let textReader = Unchecked.defaultof<System.IO.TextReader>
 
@@ -589,6 +590,36 @@ let types = FsPickler.GatherTypesInObjectGraph [box 42 ; box (Some (42, "42"))]
 
 (**
 
+### Disabling Subtype Resolution
+
+For security reasons, it might often be desirable to disable subtype resolution
+when serializing classes:
+
+*)
+
+serializer.DisableSubtypeResolution <- true
+
+(**
+
+This essentially disables the serialization of any object whose declaring type
+is specified on the serialization format. Attempting to serialize or deserialize
+any such object will result in a serialization exception.
+
+Note that enabling this option prevents serialization of the following types:
+  
+  * `System.Object` or any non-sealed class.
+  * Any delegate instance or F# function.
+  * Any ISerializable class.
+
+As a further precaution, it is also possible to disable implicit assembly loading
+when deserializing objects:
+
+*)
+
+serializer.DisableAssemblyLoading <- true
+
+(**
+
 ## Defining Custom Pickle Formats
 
 It is possible to create user-defined pickle formats for FsPickler. One simply needs to implement the interface

diff --git a/src/FsPickler.CSharp/Serializer.cs b/src/FsPickler.CSharp/Serializer.cs
@@ -15,6 +15,28 @@ public abstract class CsPicklerSerializer
     {
         private FSP.FsPicklerSerializer _serializer;
 
+
+        /// <summary>
+        /// Declares that dynamic subtype resolution should be disabled during serialization.
+        /// This explicitly prohibits serialization/deserialization of any objects whose type
+        /// is specified in the serialization payload. Examples of such types are System.Object,
+        /// F# functions and delegates. Defaults to false.
+        /// </summary>
+        public bool DisableSubtypeResolution
+        {
+            get { return _serializer.DisableSubtypeResolution; }
+            set { _serializer.DisableSubtypeResolution = value; }
+        }
+
+        /// Declares that FsPickler should make no attempt of its own to load Assemblies
+        /// that are specified in the serialization format. Will result in a deserialization
+        /// exception if required assembly is missing from the current AppDomain. Defaults to false.
+        public bool DisableAssemblyLoading
+        {
+            get { return _serializer.DisableAssemblyLoading; }
+            set { _serializer.DisableAssemblyLoading = value; }
+        }
+
         /// <summary>
         ///     Wraps an FsPickler instance in a C# friendly facade.
         /// </summary>