Here's are a few converters that can create DataSet/DataTable and DataRow JSON with JSON.NET and turns them into simple value arrays (ie Dataset.Tables.Rows). Note the converters are only for serialization not deserialization:
Maybe somebody else will find this useful as well. The serialization is one way only because I personally don't have any need for two-way and deserialization of these objects is tricky because deserialization requires a type to match properties to values in the parsed JSON and well these ADO structures don't have any type format.
By looking solely at the definition, this seems to be an easy process; in reality it is quite the opposite. Serialization is a low-level technique that violates encapsulation and breaks the opacity of an abstract data type.In many programming languages serialization is natively supported (usually within core libraries) and, as such, no additional code development is required.
The main weakness of JsonIO (json-io) is that it allows to specify the type of the object to be deserialized within the JSON body, using the @type key. If the type is not validated, it is possible to force the application to load an arbitrary class. The concept used for exploitation is the same as the other type of deserialization issues, the only thing needed is to find a POP chain to achieve RCE.
Even if you have limited the types that can be deserialised remember that some types have properties that are risky. System.ComponentModel.DataAnnotations.ValidationException, for example has a property Value of type Object. if this type is the type allowed for deserialization then an attacker can set the Value property to any object type they choose.
Try to keep up-to-date on known .Net insecure deserialization gadgets and pay special attention where such types can be created by your deserialization processes. A deserializer can only instantiate types that it knows about.
BinaryFormatter,NetDataContractSerializer, SoapFormatterserializers should use a binder implementing a whitelist approach to limit types during deserialization (at least one exception should be thrown or anull value returned):
An alternate to methods demonstrated in this tutorial is to query top-level nested collection columns as serialized JSON. You can use the serialization to inspect, convert, and ingest nested data as JSON with Redshift Spectrum. This method is supported for ORC, JSON, Ion, and Parquet formats. Use the session configuration parameter json_serialization_enable to configure the serialization behavior. When set, complex JSON data types are serialized to VARCHAR(65535). The nested JSON can be accessed with JSON functions. For more information, see json_serialization_enable.
As mentioned above, primitive types such as strings and numbers do not need to be serialized; only complex data types like arrays and objects will need serialization when saving them in variables. This applies not only to global and environment variables, but collection and local variables as well.
Pass the expected type (may be hardcoded) to the deserialization library. Some libraries like Json.Net, DataContractJsonSerializer and FSPickler validate expected object graph before deserialization.However the check is not bulletproof if the expected type contains field or property of System.Object type somewhere nested in hierarchy.
Sometimes, it makes sense for you to store your data as a JSON object, that is based on the entity type.For example, when using the property names of the entity class as properties of your object.If you are looking for a way to create an entity from a JSON response, that you got from an OData service, you are probably looking for entity deserialization.
Successful retrieve requests have the type ReadResponse, which contains the HTTP code, the raw body, and the constructor of the entity that was parsed from the response.To work with an instance of the retrieved entity, you can use the as() method, which allows you to transform the raw data into an instance of an entity represented by the given entity API.Note, that the as() method transforms the raw data to an array of entities, even if the original request was a GetByKeyRequestBuilder.
Today we're sharing a small helper which we built some years ago and yet we're still using to handle most serialization/deserialization tasks within any of our ASP.NET active projects. The supported formats are XML and JSON, simply because we never needed anything else other than these two, but it can be easily extended to support anything else.