A RetroSearch Logo

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Search Query:

Showing content from https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca2305 below:

CA2305: Do not use insecure deserializer LosFormatter (code analysis) - .NET

Property Value Rule ID CA2305 Title Do not use insecure deserializer LosFormatter Category Security Fix is breaking or non-breaking Non-breaking Enabled by default in .NET 9 No Cause

A System.Web.UI.LosFormatter deserialization method was called or referenced.

Rule description

Insecure deserializers are vulnerable when deserializing untrusted data. An attacker could modify the serialized data to include unexpected types to inject objects with malicious side effects. An attack against an insecure deserializer could, for example, execute commands on the underlying operating system, communicate over the network, or delete files.

This rule finds System.Web.UI.LosFormatter deserialization method calls or references.

LosFormatter is insecure and can't be made secure. For more information, see the BinaryFormatter security guide.

How to fix violations When to suppress warnings

LosFormatter is insecure and can't be made secure.

Pseudo-code examples Violation 
using System.IO;
using System.Web.UI;

public class ExampleClass
{
    public object MyDeserialize(byte[] bytes)
    {
        LosFormatter formatter = new LosFormatter();
        return formatter.Deserialize(new MemoryStream(bytes));
    }
}

Imports System.IO
Imports System.Web.UI

Public Class ExampleClass
    Public Function MyDeserialize(bytes As Byte()) As Object
        Dim formatter As LosFormatter = New LosFormatter()
        Return formatter.Deserialize(New MemoryStream(bytes))
    End Function
End Class

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4