Addressing BinaryFormatter Obsolescence When Migrating from .NET Core 3.1 to .NET 5.0
Tech
1
When upgrading a project from .NET Core 3.1 to .NET 5.0, a common compilasion warning arises concerning serialization:
warning SYSLIB0011: 'BinaryFormatter.Serialize(Stream, object)' is obsolete: 'BinaryFormatter serialization is obsolete and should not be used. See https://aka.ms/binaryformatter for more information.'
This warning indicates that BinaryFormatter is considered insecure due to risks associated with arbitrary data deserialization and should be replaced.
One alternative is to use DataContractSerializer. The following example provides methods for serializing and deserializing objects:
/// <summary>
/// Serializes an object to a byte array.
/// </summary>
/// <param name="target">The object to serialize.</param>
/// <returns>A byte array, or null if the input is null.</returns>
private static byte[] ConvertToBytes(object target)
{
if (target == null)
{
return null;
}
using (MemoryStream stream = new MemoryStream())
{
DataContractSerializer serializer = new DataContractSerializer(target.GetType());
serializer.WriteObject(stream, target);
return stream.ToArray();
}
}
/// <summary>
/// Deserializes a byte array to an object of the specified type.
/// </summary>
/// <typeparam name="TResult">The target type.</typeparam>
/// <param name="data">The byte array to deserialize.</param>
/// <returns>A deserialized object, or the default value for the type if the input is null.</returns>
private static TResult ConvertFromBytes<TResult>(byte[] data)
{
if (data == null)
{
return default(TResult);
}
using (MemoryStream stream = new MemoryStream(data))
{
XmlDictionaryReader xmlReader = XmlDictionaryReader.CreateTextReader(stream, new XmlDictionaryReaderQuotas());
DataContractSerializer serializer = new DataContractSerializer(typeof(TResult));
return (TResult)serializer.ReadObject(xmlReader, true);
}
}
Classes intended for serialization with DataContractSerializer require specific attributes. The IExtensibleDataObject interface helps maintain forward and backward compatibility.
[Serializable]
[KnownType(typeof(PermissionModel))]
[DataContract(Name = "PermissionData", Namespace = "http://example.com/schema")]
public class PermissionModel : IExtensibleDataObject
{
[DataMember]
public string ModuleIdentifier { get; set; }
[DataMember]
public string ResourcePath { get; set; }
private ExtensionDataObject extensionDataField;
public ExtensionDataObject ExtensionData
{
get { return extensionDataField; }
set { extensionDataField = value; }
}
}
Additionally, when updating Docker configurations, the base image reference must change from the .NET Core 3.1 runtime to the .NET 5.0 runtime:
# Previous .NET Core 3.1 image
# FROM mcr.microsoft.com/dotnet/core/aspnet:3.1
# New .NET 5.0 image
FROM mcr.microsoft.com/dotnet/aspnet:5.0
