Serialize only simple types to session in TempData

Author: ajaybhargavb

src/Microsoft.AspNet.Mvc.Core/Formatters/JsonContractResolver.cs

@@ -1,7 +1,6 @@
 // Copyright (c) Microsoft Open Technologies, Inc. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
 using System.ComponentModel.DataAnnotations;
 using System.Reflection;
 using Newtonsoft.Json;

src/Microsoft.AspNet.Mvc.Core/Properties/Resources.Designer.cs

@@ -451,4 +451,7 @@
   <data name="ModelType_WrongType" xml:space="preserve">
     <value>The model's runtime type '{0}' is not assignable to the type '{1}'.</value>
   </data>
+  <data name="TempData_CannotSerializeToSession" xml:space="preserve">
+    <value>The type {0} cannot be serialized to Session.</value>
+  </data>
 </root>

src/Microsoft.AspNet.Mvc.Core/Resources.resx

@@ -5,6 +5,7 @@
 using System.Collections.Generic;
 using System.IO;
 using Microsoft.AspNet.Http;
+using Microsoft.AspNet.Mvc.Core;
 using Microsoft.Framework.Internal;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Bson;
@@ -16,8 +17,8 @@ namespace Microsoft.AspNet.Mvc
     /// </summary>
     public class SessionStateTempDataProvider : ITempDataProvider
     {
-        private static JsonSerializer jsonSerializer = new JsonSerializer();
-        private static string TempDataSessionStateKey = "__ControllerTempData";
+        private string TempDataSessionStateKey = "__ControllerTempData";
+        private JsonSerializer jsonSerializer = new JsonSerializer();
 
         /// <inheritdoc />
         public virtual IDictionary<string, object> LoadTempData([NotNull] HttpContext context)
@@ -59,6 +60,9 @@ public virtual void SaveTempData([NotNull] HttpContext context, IDictionary<stri
             var hasValues = (values != null && values.Count > 0);
             if (hasValues)
             {
+                // We want to allow only primitive types to be serialized in session.
+                EnsureObjectCanBeSerialized(values);
+
                 // Accessing Session property will throw if the session middleware is not enabled.
                 var session = context.Session;
 
@@ -76,9 +80,39 @@ public virtual void SaveTempData([NotNull] HttpContext context, IDictionary<stri
             }
         }
 
-        private static bool IsSessionEnabled(HttpContext context)
+        private bool IsSessionEnabled(HttpContext context)
         {
             return context.GetFeature<ISessionFeature>() != null;
         }
+
+        private void EnsureObjectCanBeSerialized(IDictionary<string, object> values)
+        {
+            foreach (var item in values.Values)
+            {
+                var itemType = item.GetType();
+                Type[] actualTypes = null;
+
+                if (itemType.IsArray)
+                {
+                    itemType = itemType.GetElementType();
+                }
+                else if (TypeHelper.IsCollectionType(itemType))
+                {
+                    actualTypes = itemType.GetGenericArguments();
+                }
+
+                actualTypes = actualTypes ?? new Type[] { itemType };
+
+                foreach (var actualType in actualTypes)
+                {
+                    var underlyingType = Nullable.GetUnderlyingType(actualType) ?? actualType;
+                    if (!TypeHelper.IsSimpleType(actualType))
+                    {
+                        var message = Resources.FormatTempData_CannotSerializeToSession(underlyingType);
+                        throw new InvalidOperationException(message);
+                    }
+                }
+            }
+        }
     }
 }

src/Microsoft.AspNet.Mvc.Core/SessionStateTempDataProvider.cs

@@ -76,6 +76,44 @@ public void Save_NullSession_NonEmptyDictionary_Throws()
             });
         }
 
+        [Theory]
+        [MemberData(nameof(InvalidTypes))]
+        public void Save_InvalidType_Throws(string key, object value, Type type)
+        {
+            // Arrange
+            var testProvider = new SessionStateTempDataProvider();
+
+            // Act & Assert
+            var exception = Assert.Throws<InvalidOperationException>(() =>
+            {
+                testProvider.SaveTempData(
+                    GetHttpContext(session: null, sessionEnabled: false),
+                    new Dictionary<string, object> { { key, value } }
+                );
+            });
+            Assert.Equal(string.Format("The type {0} cannot be serialized to Session.", type), exception.Message);
+        }
+
+        public static TheoryData<string, object, Type> InvalidTypes
+        {
+            get
+            {
+                return new TheoryData<string, object, Type>
+                {
+                    { "Object", new object(), typeof(object) },
+                    { "ObjectArray", new object[3], typeof(object) },
+                    { "TestItem", new TestItem(), typeof(TestItem) },
+                    { "ListTestItem", new List<TestItem>(), typeof(TestItem) },
+                    { "DictTestItem", new Dictionary<string, TestItem>(), typeof(TestItem) }
+                };
+            }
+        }
+
+        private class TestItem
+        {
+            public int DummyInt { get; set; }
+        }
+
         private HttpContext GetHttpContext(ISessionCollection session, bool sessionEnabled=true)
         {
             var httpContext = new Mock<HttpContext>();