Type Registration & Security

This page covers type registration mechanisms and security configurations.

Type Registration

In strict mode, only registered types can be deserialized. This prevents arbitrary code execution:

import pyfory

# Strict mode (recommended for production)
f = pyfory.Fory(strict=True)

class SafeClass:
    def __init__(self, data):
        self.data = data

# Must register types in strict mode
f.register(SafeClass, typename="com.example.SafeClass")

# Now serialization works
obj = SafeClass("safe data")
data = f.serialize(obj)
result = f.deserialize(data)

# Unregistered types will raise an exception
class UnsafeClass:
    pass

# This will fail in strict mode
try:
    f.serialize(UnsafeClass())
except Exception as e:
    print("Security protection activated!")

Registration Patterns

Pattern 1: Simple Registration

fory.register(MyClass, type_id=100)

Pattern 2: Cross-Language with Typename

fory.register(MyClass, typename="com.example.MyClass")

Pattern 3: With Custom Serializer

fory.register(MyClass, type_id=100, serializer=MySerializer(fory, MyClass))

Pattern 4: Batch Registration

type_id = 100
for model_class in [User, Order, Product, Invoice]:
    fory.register(model_class, type_id=type_id)
    type_id += 1

Security Modes

Strict Mode (Recommended)

# Always use strict=True in production
fory = pyfory.Fory(strict=True)

# Explicitly register allowed types
fory.register(UserModel, type_id=100)
fory.register(OrderModel, type_id=101)

Non-Strict Mode

⚠️ Security Warning: When strict=False, Fory will deserialize arbitrary types, which can pose security risks if data comes from untrusted sources. Only use strict=False in controlled environments where you trust the data source completely.

# Only in trusted environments
fory = pyfory.Fory(xlang=False, ref=True, strict=False)

If you do need to use strict=False, configure a DeserializationPolicy:

from pyfory import DeserializationPolicy

class SafePolicy(DeserializationPolicy):
    def validate_class(self, cls, is_local, **kwargs):
        # Block dangerous modules
        if cls.__module__ in {'subprocess', 'os', '__builtin__'}:
            raise ValueError(f"Blocked: {cls}")
        return None

fory = pyfory.Fory(xlang=False, strict=False, policy=SafePolicy())

Max Depth Protection

Limit deserialization depth to prevent stack overflow attacks:

fory = pyfory.Fory(
    strict=True,
    max_depth=100  # Adjust based on your data structure depth
)

Best Practices

1. Always use strict=True in production
2. Use type_id for performance, typename for flexibility
3. Register all types upfront before any serialization
4. Set appropriate max_depth based on your data structures
5. Use DeserializationPolicy when strict=False is necessary

Related Topics

• Configuration - Fory parameters
• Security - DeserializationPolicy details
• Custom Serializers - Custom serialization