[Security P0] Remote Code Execution via TypeNameHandling.Auto deserialization

[csharpfritz]

Summary

Newtonsoft.Json TypeNameHandling.Auto is used in 4 locations across the plugin/configuration system. This is a well-documented Remote Code Execution (RCE) deserialization vulnerability.

Affected Files

File	Lines
src/SharpSite.Web/ApplicationState.cs	130-134, 212-216
src/SharpSite.Web/SharpsiteConfigurationExtensions.cs	13-17, 19-25

Risk

If an attacker can write to the plugins directory, they can achieve full RCE via known Newtonsoft.Json gadget chains.

Recommended Fix

Replace with System.Text.Json polymorphic serialization, or implement a strict ISerializationBinder type whitelist.

Estimated Effort

2-4 hours. Blocks production readiness of the plugin system.

[csharpfritz]

Triage: Security P0

Routed to @river for immediate action. This is a critical RCE vulnerability in ApplicationState.cs via TypeNameHandling.Auto. Blocks production readiness of plugin system.

Priority: 1 (highest)
Effort: 2-4 hours
Fix: Replace Newtonsoft.Json polymorphic deserialization with System.Text.Json or strict ISerializationBinder whitelist.

[csharpfritz]

Fixed in commit f98f520 and prior. Replaced all Newtonsoft.Json TypeNameHandling.Auto with System.Text.Json + ConfigurationSectionJsonConverter. Part of PR #352.