Skip to content

Commit

Permalink
v1.6.0
Browse files Browse the repository at this point in the history
  • Loading branch information
StefH committed Jan 26, 2025
1 parent 867d483 commit ad66a96
Show file tree
Hide file tree
Showing 4 changed files with 9 additions and 4 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
# v1.6.0 (26 January 2025)
- [#884](https://github.com/zzzprojects/System.Linq.Dynamic.Core/pull/884) - By default the RestrictOrderByToPropertyOrField is now set to true in the ParsingConfig [feature] contributed by [StefH](https://github.com/StefH)
- [#867](https://github.com/zzzprojects/System.Linq.Dynamic.Core/issues/867) - CVE-2024-51417: System.Linq.Dynamic.Core allows remote access to properties on reflection types and static properties/fields [bug]

# v1.6.0-preview-03 (25 January 2025)
- [#876](https://github.com/zzzprojects/System.Linq.Dynamic.Core/pull/876) - Update and Fix SecurityTests [test] contributed by [mariusz96](https://github.com/mariusz96)
- [#882](https://github.com/zzzprojects/System.Linq.Dynamic.Core/pull/882) - ExpressionParser: add 2nd ctor with an extra non-optional parameter [feature] contributed by [StefH](https://github.com/StefH)
Expand Down
2 changes: 1 addition & 1 deletion Generate-ReleaseNotes.bat
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
rem https://github.com/StefH/GitHubReleaseNotes

SET version=v1.6.0-preview-03
SET version=v1.6.0

GitHubReleaseNotes --output CHANGELOG.md --exclude-labels invalid question documentation wontfix environment duplicate --language en --version %version% --token %GH_TOKEN%
5 changes: 3 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -49,16 +49,17 @@ public class MyCustomClass
If it's not possible to add that attribute, you need to implement a custom [CustomTypeProvider](https://dynamic-linq.net/advanced-configuration#customtypeprovider) and set this to the `ParsingConfig` and provide that config to all dynamic calls.
Or provide a list of addtional types in the [DefaultDynamicLinqCustomTypeProvider.cs](https://github.com/zzzprojects/System.Linq.Dynamic.Core/blob/master/src/System.Linq.Dynamic.Core/CustomTypeProviders/DefaultDynamicLinqCustomTypeProvider.cs).

### v1.6.0-preview-01, 02, 03
### v1.6.0
#### Change 1
It's not allowed anymore to call any methods on the `object` type. By default also the `ToString` and `Equals` methods are not allowed.
To allow these methods set `AllowEqualsAndToStringMethodsOnObject` to `true` in the `ParsingConfig` and provide that config to all dynamic calls.
This is done to mitigate the risk of calling methods on the `object` type which could lead to security issues (CVE-2024-51417).
To allow these methods set `AllowEqualsAndToStringMethodsOnObject` to `true` in the `ParsingConfig` and provide that config to all dynamic calls.

#### Change 2
By default the `RestrictOrderByToPropertyOrField` is now set to `true` in the `ParsingConfig`.
Which means that only properties and fields can be used in the `OrderBy` / `ThenBy`.
This is done to mitigate the risk of calling methods or other expressions in the `OrderBy` / `ThenBy` which could lead to security issues.
To allow these methods set `RestrictOrderByToPropertyOrField` to `false` in the `ParsingConfig` and provide that config to all dynamic calls.

---

Expand Down
2 changes: 1 addition & 1 deletion version.xml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<Project>
<PropertyGroup>
<PatchVersion>0-preview-03</PatchVersion>
<PatchVersion>0</PatchVersion>
</PropertyGroup>
</Project>

0 comments on commit ad66a96

Please sign in to comment.