CVE-2023-24936: Check type is allowed when deserializing instance types that implements INullable (#87702)

Co-authored-by: Arthur Vickers <[email protected]>

Author: roji

src/libraries/System.Data.Common/src/System/Data/Common/SqlUDTStorage.cs

@@ -182,6 +182,9 @@ public override object ConvertXmlToObject(XmlReader xmlReader, XmlRootAttribute?
                     }
                 }
                 Type type = (typeName == null) ? _dataType : Type.GetType(typeName)!;
+
+                TypeLimiter.EnsureTypeIsAllowed(type);
+
                 object Obj = System.Activator.CreateInstance(type, true)!;
                 Debug.Assert(xmlReader is DataTextReader, "Invalid DataTextReader is being passed to customer");
                 ((IXmlSerializable)Obj).ReadXml(xmlReader);

src/libraries/System.Data.Common/tests/System/Data/RestrictedTypeHandlingTests.cs

@@ -242,6 +242,59 @@ public void DataTable_HonorsGloballyDefinedAllowList()
             }
         }
 
+        [Fact]
+        public void DataTable_HonorsGloballyDefinedAllowListForSqlTypes()
+        {
+            // Arrange
+
+            DataTable table = new DataTable("MyTable");
+            table.Columns.Add("MyNullableColumn", typeof(MyCustomNullable1));
+            table.Rows.Add(new MyCustomNullable1());
+            table.AcceptChanges();
+
+            var asXml = @$"<NewDataSet>
+  <xs:schema id=""NewDataSet"" xmlns="""" xmlns:xs=""http://www.w3.org/2001/XMLSchema"" xmlns:msdata=""urn:schemas-microsoft-com:xml-msdata"">
+    <xs:element name=""NewDataSet"" msdata:IsDataSet=""true"" msdata:MainDataTable=""MyTable"" msdata:UseCurrentLocale=""true"">
+      <xs:complexType>
+        <xs:choice minOccurs=""0"" maxOccurs=""unbounded"">
+          <xs:element name=""MyTable"">
+            <xs:complexType>
+              <xs:sequence>
+                <xs:element name=""MyNullableColumn"" msdata:DataType=""{typeof(MyCustomNullable1).AssemblyQualifiedName}"" type=""xs:anyType"" minOccurs=""0"" />
+              </xs:sequence>
+            </xs:complexType>
+          </xs:element>
+        </xs:choice>
+      </xs:complexType>
+    </xs:element>
+  </xs:schema>
+  <MyTable>
+    <MyNullableColumn xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" xmlns:msdata=""urn:schemas-microsoft-com:xml-msdata"" msdata:InstanceType=""{typeof(MyCustomNullable2).AssemblyQualifiedName}"">
+      <IsNull>false</IsNull>
+    </MyNullableColumn>
+  </MyTable>
+</NewDataSet>";
+
+            // Act & assert
+            // Deserialization should fail since MyCustomNullable2 is not on the allow list,
+            // even though MyCustomNullable1 is on the allow list.
+
+            try
+            {
+                AppDomain.CurrentDomain.SetData(AppDomainDataSetDefaultAllowedTypesKey, new Type[]
+                {
+                    typeof(MyCustomNullable1)
+                });
+
+                table = new DataTable();
+                Assert.Throws<InvalidOperationException>(() => table.ReadXml(new StringReader(asXml)));
+            }
+            finally
+            {
+                AppDomain.CurrentDomain.SetData(AppDomainDataSetDefaultAllowedTypesKey, null);
+            }
+        }
+
         [Fact]
         public void DataColumn_ConvertExpression_SubjectToAllowList_Success()
         {
@@ -401,6 +454,20 @@ private sealed class MyCustomClass
         {
         }
 
+        public sealed class MyCustomNullable1 : INullable
+        {
+            public static MyCustomNullable1 Null { get; } = new MyCustomNullable1();
+
+            public bool IsNull => false;
+        }
+
+        public sealed class MyCustomNullable2 : INullable
+        {
+            public static MyCustomNullable2 Null { get; } = new MyCustomNullable2();
+
+            public bool IsNull => false;
+        }
+
         public sealed class MyXmlSerializableClass : IXmlSerializable
         {
             public XmlSchema GetSchema()