Here's a summary of what's new in .NET Libraries in this preview release:
- Option to disallow duplicate JSON properties
- Strict JSON serialization options
- Post-Quantum Cryptography (PQC)
.NET Libraries updates in .NET 10:
- What's new in .NET 10 documentation
The JSON specification does not specify how to handle duplicate properties when deserializing a JSON payload. This can lead to unexpected results and security vulnerabilities. For example, see bishopfox.com JSON Interoperability Vulnerabilities and NVD CVE-2017-12635. This release introduces the AllowDuplicateProperties option to disallow duplicate JSON properties:
string json = """{ "Value": 1, "Value": -1 }""";
Console.WriteLine(JsonSerializer.Deserialize<MyRecord>(json).Value); // -1
JsonSerializerOptions options = new() { AllowDuplicateProperties = false };
JsonSerializer.Deserialize<MyRecord>(json, options); // throws JsonException
JsonSerializer.Deserialize<JsonObject>(json, options); // throws JsonException
JsonSerializer.Deserialize<Dictionary<string, int>>(json, options); // throws JsonException
JsonDocumentOptions docOptions = new() { AllowDuplicateProperties = false };
JsonDocument.Parse(json, docOptions); // throws JsonException
record MyRecord(int Value);Duplicate detection works by checking if a value is assigned multiple times during deserialization, so it will work with as expected with other options like case-sensitivity and naming policy.
The JSON serializer accepts many options to customize serialization and deserialization, but the defaults may be too relaxed for some applications. This release adds a new JsonSerializationOptions.Strict preset which follows best practices by including the following options:
- Applies the
JsonUnmappedMemberHandling.Disallowpolicy - Disables
AllowDuplicateProperties - Preserves case sensitive property binding
- Enables both
RespectNullableAnnotationsandRespectRequiredConstructorParameterssettings
These options are read-compatible with JsonSerializationOptions.Default - an object serialized with JsonSerializationOptions.Default can be deserialized with JsonSerializationOptions.Strict.
Windows announced Post-Quantum Cryptography support recently in a blog post and in this release we have started adding Windows CNG support to .NET. The following code from the previous release notes now also works on Windows versions with PQC:
using System;
using System.IO;
using System.Security.Cryptography;
private static bool ValidateMLDsaSignature(ReadOnlySpan<byte> data, ReadOnlySpan<byte> signature, string publicKeyPath)
{
string publicKeyPem = File.ReadAllText(publicKeyPath);
using (MLDsa key = MLDsa.ImportFromPem(publicKeyPem))
{
return key.VerifyData(data, signature);
}
}We are also working on adding downlevel support in Microsoft.Bcl.Cryptography to allow use in .NET Framework. Try out the feature now by installing a Windows Insider build (only available in the Canary Channel at this time).