c# BinaryFormatter replacement

Question

c# BinaryFormatter replacement

1.1k Views Asked by Loch At 28 March 2023 at 05:06

Currently i'm using BinaryFormatter to serialize my objects (which are string[] and byte[])

BinaryFormatter has security vulnerabilities when method. the Deserialize method can be used as a vector for attackers to perform DoS attacks against consuming apps.

There is a option to add serializationbinder to BinaryFormatter and implement the method to BindToType where we can limit what types are allowed to be deserialized.

I'm looking for BinaryFormatter alternative to serialize and Deserialize the objects in my code.

{
  class Program
  {
    static void Main(string[] args)
    {
      string[] cars = { "Volvo", "BMW", "Ford", "Mazda" };

      var item = new Item
      {
        Name = "Orange"
      };

      var bytes = SerializeData(item);      
      var deserializedData = DeserializeData(bytes);
    }

    private static byte[] SerializeData(object obj)
    {
      var binaryFormatter = new BinaryFormatter();
      using (var memoryStream = new MemoryStream())
      {
        binaryFormatter.Serialize(memoryStream, obj);
        return memoryStream.ToArray();
      }
    }
    private static object DeserializeData(byte[] bytes)
    {
      var binaryFormatter = new BinaryFormatter
      {
        Binder = new TestSerializationBinder()
      };

      using (var memoryStream = new MemoryStream(bytes))
        return binaryFormatter.Deserialize(memoryStream);
    }
  }
  [Serializable]
  public class Item
  {
    private string _name;
    public string Name
    {
      get { return _name; }
      set { _name = value; }
    }
  }
  public class TestSerializationBinder : SerializationBinder
  {
    public override Type BindToType(string assemblyName, string typeName)
    {
      if (typeName.Equals("TestBinder.Item"))
        return typeof(Item);
      if (typeName.Equals("System.String[]"))
        return typeof(string[]);
      return null;
    }
  }
}bina```

Original Q&A

There are 2 best solutions below

**Ebbelink** · Answer 1 · 2023-09-26T14:44:54.617000

This can be achieved by using the JsonSerializer in System.Text.Json. It might seem a bit confusing to have binary serialization in a namespace that seems to focus on json but it is what it is. This namespace has been available since around .net core 3 and is hopefully available to you as well.

To serialize any object to a byte[]

byte[] bytes = System.Text.Json.JsonSerializer.SerializeToUtf8Bytes(requestBody);

To deserialize this byte[] back to an object

MemoryStream ms = new MemoryStream(bytes);
var originalObject = System.Text.Json.JsonSerializer.Deserialize<HttpRequest>(ms);

If this is not the case Newtonsoft also has similar ways of serializing to byte[]

**Kirill Osenkov** · Answer 2 · 2023-12-31T04:50:25.710000

For string arrays, if you need to preserve exact binary compatibility with BinaryFormatter, I wrote a manual replacement that produces the exact same bytes. I imagine it wouldn't be too hard to tune it for other arrays. I had to reverse engineer how BinaryFormatter works and debug how it writes bytes to the stream.

public class StringArrayBinaryFormatter
{
    public static byte[] Serialize(string[] array)
    {
        var stream = new MemoryStream();
        Serialize(stream, array);
        return stream.ToArray();
    }

    public static void Serialize(Stream stream, string[] array)
    {
        var binaryWriter = new BinaryWriter(stream);
        Serialize(binaryWriter, array);
    }

    private static byte[] header = new byte[] 
    {
        0x00, // binaryHeaderEnum
        0x01, 0x00, 0x00, 0x00, // topId 1
        0xff, 0xff, 0xff, 0xff, // headerId -1
        0x01, 0x00, 0x00, 0x00, // binaryFormatterMajorVersion 1
        0x00, 0x00, 0x00, 0x00, // binaryFormatterMinorVersion 0
    };

    public static void Serialize(BinaryWriter writer, string[] array)
    {
        int objectId = 1;

        writer.Write(header);

        writer.Write((byte)0x11); // BinaryHeaderEnum.ArraySingleString
        writer.Write(objectId++);
        writer.Write(array.Length);

        for (int i = 0; i < array.Length; i++)
        {
            writer.Write((byte)0x06); // WriteKnownValueClass WriteString
            writer.Write(objectId++);
            writer.Write(array[i]);
        }

        writer.Write((byte)0x0b);
    }

    public static string[] Deserialize(byte[] bytes)
    {
        var stream = new MemoryStream(bytes);
        return Deserialize(stream);
    }

    public static string[] Deserialize(Stream stream)
    {
        var reader = new BinaryReader(stream);
        return Deserialize(reader);
    }

    public static string[] Deserialize(BinaryReader reader)
    {
        for (int i = 0; i < 17 + 1 + 4; i++)
        {
            reader.ReadByte();
        }

        int length = reader.ReadInt32();
        string[] array = new string[length];

        for (int i = 0; i < length; i++)
        {
            reader.ReadByte(); // 0x06
            reader.ReadInt32(); // object id
            string str = reader.ReadString();
            array[i] = str;
        }

        reader.ReadByte();

        return array;
    }
}

c# BinaryFormatter replacement

There are 2 best solutions below

Related Questions in C#

Related Questions in .NET

Related Questions in BINARYFORMATTER

Trending Questions

Popular # Hahtags

Popular Questions