title | description | ms.date | author | ms.author | dev_langs | f1_keywords | ||||
---|---|---|---|---|---|---|---|---|---|---|
CA2310: Do not use insecure deserializer NetDataContractSerializer (code analysis) |
Learn about code analysis rule CA2310: Do not use insecure deserializer NetDataContractSerializer |
05/01/2019 |
dotpaul |
paulming |
|
|
Property | Value |
---|---|
Rule ID | CA2310 |
Title | Do not use insecure deserializer NetDataContractSerializer |
Category | Security |
Fix is breaking or non-breaking | Non-breaking |
Enabled by default in .NET 8 | No |
A xref:System.Runtime.Serialization.NetDataContractSerializer?displayProperty=nameWithType deserialization method was called or referenced.
[!INCLUDEinsecure-deserializers-description]
This rule finds xref:System.Runtime.Serialization.NetDataContractSerializer?displayProperty=nameWithType deserialization method calls or references. If you want to deserialize only when the xref:System.Runtime.Serialization.NetDataContractSerializer.Binder property is set to restrict types, disable this rule and enable rules CA2311 and CA2312 instead. Limiting which types can be deserialized can help mitigate against known remote code execution attacks, but your deserialization will still be vulnerable to denial of service attacks.
NetDataContractSerializer
is insecure and can't be made secure. For more information, see the BinaryFormatter security guide.
[!INCLUDEfix-binaryformatter-serializationbinder]
NetDataContractSerializer
is insecure and can't be made secure.
using System.IO;
using System.Runtime.Serialization;
public class ExampleClass
{
public object MyDeserialize(byte[] bytes)
{
NetDataContractSerializer serializer = new NetDataContractSerializer();
return serializer.Deserialize(new MemoryStream(bytes));
}
}
Imports System.IO
Imports System.Runtime.Serialization
Public Class ExampleClass
Public Function MyDeserialize(bytes As Byte()) As Object
Dim serializer As NetDataContractSerializer = New NetDataContractSerializer()
Return serializer.Deserialize(New MemoryStream(bytes))
End Function
End Class
CA2311: Do not deserialize without first setting NetDataContractSerializer.Binder
CA2312: Ensure NetDataContractSerializer.Binder is set before deserializing