NUnit V2

Security Exception After Upgrading to 2.6.2

Bug #1086975 reported by Simone Busoli
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
NUnit V2
Fix Released
High
Simone Busoli
NUnit V2 2.6.3

Bug Description

From the mailing list, reported by Andy Sipe:

We recently upgraded to 2.6.2 from 2.6.1 and now a few of our top level integration tests are experiencing remoting security exceptions.

In particular we are having this exception thrown when attempting a request:

System.Runtime.Serialization.SerializationException : Because of security restrictions, the type System.Runtime.Remoting.ObjRef cannot be accessed.

2.6.1 no problem, 2.6.2 this exception -- no other chnages in the source.

Note that this is occurring in our tests not in the nunit framework directly.

I've included a full stack trace at the end of this message. I'm not sure its going to help a whole lot as it occurs in our test code not in the nunit code. Note that in every case the exception is raised when the response is deserialized and that the actual request works as expected (server gets hit and executes). To me it looks like there is some new security restriction being applied at a somewhat high level that is overriding the defaults.

I was able to work around the issue by setting the type filter and some other security settings in the code that configures the security surrounding remoting. Fortunately we handle all of this outside of configuration files or I'm unsure it would have worked as changing configuration files seemed to have no impact. Once I set the type filter to full everything worked as expected again.

For our purposes this will likely work as we don't use remoting extensively. That said there is like some change in 2.6.2 that may cause others problems as well.

Thanks -andy

at System.Runtime.Serialization.FormatterServices.GetSafeUninitializedObject(Type type)
at System.Runtime.Serialization.Formatters.Binary.ObjectReader.ParseObject(ParseRecord pr)
at System.Runtime.Serialization.Formatters.Binary.ObjectReader.Parse(ParseRecord pr)
at System.Runtime.Serialization.Formatters.Binary.__BinaryParser.ReadObjectWithMapTyped(BinaryObjectWithMapTyped record)
at System.Runtime.Serialization.Formatters.Binary.__BinaryParser.ReadObjectWithMapTyped(BinaryHeaderEnum binaryHeaderEnum)
at System.Runtime.Serialization.Formatters.Binary.__BinaryParser.Run()
at System.Runtime.Serialization.Formatters.Binary.ObjectReader.Deserialize(HeaderHandler handler, __BinaryParser serParser, Boolean fCheck, Boolean isCrossAppDomain, IMethodCallMessage methodCallMessage)
at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream serializationStream, HeaderHandler handler, Boolean fCheck, Boolean isCrossAppDomain, IMethodCallMessage methodCallMessage)
at System.Runtime.Remoting.Channels.CoreChannel.DeserializeBinaryRequestMessage(String objectUri, Stream inputStream, Boolean bStrictBinding, TypeFilterLevel securityLevel)
at System.Runtime.Remoting.Channels.BinaryServerFormatterSink.ProcessMessage(IServerChannelSinkStack sinkStack, IMessage requestMsg, ITransportHeaders requestHeaders, Stream requestStream, IMessage& responseMsg, ITransportHeaders& responseHeaders, Stream& responseStream)

Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
... snip application level frames ....

Simone Busoli (simone.busoli)
Changed in nunitv2:
status: New → Confirmed
assignee: nobody → Simone Busoli (simone.busoli)
Revision history for this message
Charlie Poole (charlie.poole) wrote :

I believe this is actually fixed as a result of another change we just made. Please verify using the preview build I released.

affects: nunitv2 → nunit-3.0
affects: nunit-3.0 → nunitv2
Changed in nunitv2:
importance: Undecided → High
status: Confirmed → Fix Committed
Charlie Poole (charlie.poole)
Changed in nunitv2:
milestone: none → 2.6.3
Charlie Poole (charlie.poole)
Changed in nunitv2:
status: Fix Committed → Fix Released
Revision history for this message
Bill Harris (bill-harris-u) wrote :
Download full text (3.6 KiB)

Hi,

I'm also experiencing this issue. It seems as though it affects accessing any object byRef over the remoting channel. Unfortunately, we don't own the server side of our .NET Remoting and I'm not sure how our vendor is going to feel about applying the config based fix on their end.

I upgraded to NUnit 2.6.3 and still experience the issue.

System.Runtime.Serialization.SerializationException - Details Follow:

System.Runtime.Serialization.SerializationException: Because of security restrictions, the type System.Runtime.Remoting.ObjRef cannot be accessed. ---> System.Security.SecurityException: Request failed.
   at System.Runtime.Serialization.FormatterServices.nativeGetSafeUninitializedObject(RuntimeType type)
   at System.Runtime.Serialization.FormatterServices.GetSafeUninitializedObject(Type type)
The action that failed was:
Demand
The type of the first permission that failed was:
System.Security.Permissions.SecurityPermission
The first permission that failed was:
<IPermission class="System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
Flags="Infrastructure"/>

The demand was for:
<PermissionSet class="System.Security.PermissionSet"
version="1">
<IPermission class="System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
Flags="Infrastructure"/>
</PermissionSet>

The only permitted permissions were:
<PermissionSet class="System.Security.PermissionSet"
version="1">
<IPermission class="System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
Flags="SerializationFormatter"/>
</PermissionSet>

The method that caused the failure was:
System.Runtime.Remoting.Channels.ServerProcessing ProcessMessage(System.Runtime.Remoting.Channels.IServerChannelSinkStack, System.Runtime.Remoting.Messaging.IMessage, System.Runtime.Remoting.Channels.ITransportHeaders, System.IO.Stream, System.Runtime.Remoting.Messaging.IMessage ByRef, System.Runtime.Remoting.Channels.ITransportHeaders ByRef, System.IO.Stream ByRef)
   --- End of inner exception stack trace ---

Server stack trace:
   at System.Runtime.Serialization.FormatterServices.GetSafeUninitializedObject(Type type)
   at System.Runtime.Serialization.Formatters.Binary.ObjectReader.ParseObject(ParseRecord pr)
   at System.Runtime.Serialization.Formatters.Binary.ObjectReader.Parse(ParseRecord pr)
   at System.Runtime.Serialization.Formatters.Binary.__BinaryParser.ReadObjectWithMapTyped(BinaryObjectWithMapTyped record)
   at System.Runtime.Serialization.Formatters.Binary.__BinaryParser.ReadObjectWithMapTyped(BinaryHeaderEnum binaryHeaderEnum)
   at System.Runtime.Serialization.Formatters.Binary.__BinaryParser.Run()
   at System.Runtime.Serialization.Formatters.Binary.ObjectReader.Deserialize(HeaderHandler handler, __BinaryParser serParser, Boolean fCheck, Boolean isCrossAppDomain, IMethodCallMessage methodCallMessage)
   at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream serializationStream, HeaderHandler handler, Boolean fCheck, ...

Read more...

Revision history for this message
Bill Harris (bill-harris-u) wrote :

For clarity, this occurs when I run tests in Visual Studio 2010 via TestDriven.NET using nunit.framework.dll 2.6.1, 2.6.2, or 2.6.3

The exception also occurs when I use your your standalone test runner (nunit-x86.exe) with version 2.6.2 or 2.6.3, but does not occur with your standalone test runner with version 2.6.1.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.