Removing or annotating Serializable attribute on winforms classes

[Tanya-Solyanik]

Fixes #889
Fixes #890
Fixes #1251

Proposed changes

Removed SerializableAttribute from types that don't have known binary serialization scenarios and annotated types that are staying serializable.
Lists of types are in #889

Customer Impact

This change reduces security risk associated with binary serialization

Regression?

no

Risk

high - might have to add attributes again if legitimate serialization scenarios exist

Test methodology

Manual verification and additional testing of resx serialization

Microsoft Reviewers: Open in CodeFlow

[RussKie]

Looks good 👍
Few minor comments

[zsd4yr]

Pending more tests, LGTM

[codecov]

Codecov Report

Merging #1425 into master will increase coverage by 0.11197%.
The diff coverage is 70.65217%.

@@                 Coverage Diff                 @@
##              master       #1425         +/-   ##
===================================================
+ Coverage   25.64901%   25.76099%   +0.11198%     
===================================================
  Files            786         786                 
  Lines         268256      268169         -87     
  Branches       37978       37968         -10     
===================================================
+ Hits           68805       69083        +278     
+ Misses        194557      194164        -393     
- Partials        4894        4922         +28

Flag	Coverage Δ
#Debug	25.76099% <70.65217%> (+0.11197%)	⬆️
#production	25.76099% <70.65217%> (+0.11197%)	⬆️
#test	100% <ø> (ø)	⬆️

[zsd4yr]

LGTM but you should investigate this test failure. Looks like something in the debug skew for System.ComponentModel.Design.DesignerHost.AddToContainerPostProcess

[ericstj]

Rather than test by checking for attribute, just ensure you have a test-case that actually serializes every type. Could be useful for a negative case.

[ericstj]

This isn't too bad after further consideration, just make sure you have actual test cases.

[Tanya-Solyanik]

I simplified these tests to focus on blocking addition of serializable types.

[ericstj]

This isn't too bad after further consideration, just make sure you have actual test cases.

[ericstj]

Rather than introducing a constant here, consider reverting the field name to exceptions then using nameof(exceptions) in the constructor / GetObjectData. Also consider adding // Do not rename (binary serialization). It'll be helpful if you express the serialization constraint consistently across the repo so that its easier for code-reviewers to catch the cases where folks may introduce new fields, or rename, and break serialization.

[Tanya-Solyanik]

The change is not as uniform as I had hoped because usually we have custom serialization code and do not serialize private fields, but rather pre-process data that we want to serialize or serialize public properties, Or serialize public property under a different name - for example Tag property is serialized as UserData.
I applied your suggestion only in cases where we are serializing private properties.

[ericstj]

I see. Well one benefit of always having custom implementations of these methods is that its much harder to break compatibility accidentally.

[Tanya-Solyanik]

yes, the compatibility goal is achieved, but the source is not "intuitive" - it's impossible to deduce type members from the serialized data. But this is not the goal of this work item.

[RussKie]

Few little nits.
One question whether it is worth adding tests to check there are serialisable types other than those that we expect.

[RussKie]

Btw happy to have it merged as-is to take it into P8, we can do further tweaks as a follow up.

[Tanya-Solyanik]

Btw happy to have it merged as-is to take it into P8, we can do further tweaks as a follow up.

@RussKie - thanks! I would like to remove this attribute from 3 more types, need to double check that I am not missing some scenarios . And then will send to Olina for testing. Thus I made this [WIP] again

[Tanya-Solyanik]

For all types that have moved from different assemblies than desktop you should add TypeForwardedFrom attribute to the type. I believe this applies to System.Windows.Forms.Design & System.Windows.Forms.Design.Editors. This impacts serialization from core, consumed in desktop.

@ericstj - we don't have any serializable types in S.W.F.Editors. In System.Windows.Forms.Design we have a single serializable type (CodeDomSerializationStore) This type is used in Copy/Paste scenarios in VisualStudio. We are likely to use BinarySerialization on this type in the CoreDesigner as well, but we don't anticipate scenarios where we exchange types between the Core and .Net. Primarily because even if we are able to deserialize property store and type information of a control from one FX on another FX, we will not be able to discover the "destination" framework assembly. This type will be used to copy/paste controls between 2 Core containers only.

[Tanya-Solyanik]

The only issue that concerns me is that currently the tests deserialize .NET Framework blobs on Core but never the other way around, means the tests never run on .NET Framework. Tanya will create a follow-up issue for that.

@ViktorHofer - thank you for the review, here is the issue #1549

[RussKie]

docs - dotnet/docs#14175

[RussKie]

@Tanya-Solyanik reviewing #1237 I spotted that we still have serialisation-related decorations and logic in ResXFileRef:

Should OptionalField attribute and OnDeserializing and OnDeserialized methods be gone?

[Tanya-Solyanik]

yes, thank you, good point!

removed here: #1921