Table of Contents

Class SecuritySettings

Namespace
Nerdbank.MessagePack
Assembly
Nerdbank.MessagePack.dll

Security settings that may be applied to serialization.

public record SecuritySettings : IEquatable<SecuritySettings>
Inheritance
SecuritySettings
Implements
Inherited Members

Remarks

Applications may derive from this class to add additional settings that its custom converters may honor. Added settings should have secure defaults.

Constructors

SecuritySettings()

Initializes a new instance of the SecuritySettings class with secure defaults (those matching the values found in UntrustedData).

public SecuritySettings()

Fields

TrustedData

Default settings to use with trusted data.

public static readonly SecuritySettings TrustedData

Field Value

SecuritySettings

Remarks

This value is optimized for high performance assuming the data is trustworthy, and should not be used with untrusted data.

UntrustedData

Default settings to use when (de)serializing untrusted data.

public static readonly SecuritySettings UntrustedData

Field Value

SecuritySettings

Remarks

This value is optimized for security when processing untrusted data.

Properties

ExpandoObjectMaxPropertyCount

Gets the maximum number of properties that an ExpandoObject may have during (de)serialization. (when using WithExpandoObjectConverter(MessagePackSerializer)).

public int ExpandoObjectMaxPropertyCount { get; init; }

Property Value

int

Remarks

This limit is important because deserializing an ExpandoObject is an O(n²) operation where n is the number of properties on the object. While serializing a large ExpandoObject is not a performance risk, the setting is honored during both serialization and deserialization to allow early detection when an object may fail to round-trip due to this limit.

MaxCollectionPreallocation

Gets the largest capacity that a collection should be precreated with during deserialization.

public int MaxCollectionPreallocation { get; init; }

Property Value

int

Remarks

Collections are allowed to grow to any size during deserialization regardless of this value. This value influences the initial capacity of collections created during deserialization, which can help mitigate DoS attacks that attempt to cause excessive memory allocations using only small payloads.

Edit this page