RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca2315 below:

CA2315: Do not use insecure deserializer ObjectStateFormatter (code analysis) - .NET

CA2315: Do not use insecure deserializer ObjectStateFormatter

In this article Property Value Rule ID CA2315 Title Do not use insecure deserializer ObjectStateFormatter Category Security Fix is breaking or non-breaking Non-breaking Enabled by default in .NET 9 No Cause

A System.Web.UI.ObjectStateFormatter deserialization method was called or referenced.

Rule description

Insecure deserializers are vulnerable when deserializing untrusted data. An attacker could modify the serialized data to include unexpected types to inject objects with malicious side effects. An attack against an insecure deserializer could, for example, execute commands on the underlying operating system, communicate over the network, or delete files.

This rule finds System.Web.UI.ObjectStateFormatter deserialization method calls or references.

How to fix violations

If possible, use a secure serializer instead, and don't allow an attacker to specify an arbitrary type to deserialize. Some safer serializers include:
- System.Runtime.Serialization.DataContractSerializer
- System.Runtime.Serialization.Json.DataContractJsonSerializer
- System.Web.Script.Serialization.JavaScriptSerializer - Never use System.Web.Script.Serialization.SimpleTypeResolver. If you must use a type resolver, restrict deserialized types to an expected list.
- System.Xml.Serialization.XmlSerializer
- Newtonsoft Json.NET - Use TypeNameHandling.None. If you must use another value for TypeNameHandling, restrict deserialized types to an expected list with a custom ISerializationBinder.
- Protocol Buffers
Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.

When to suppress warnings

It's safe to suppress a warning from this rule if:

You know the input is trusted. Consider that your application's trust boundary and data flows may change over time.
You've taken one of the precautions in How to fix violations.

Pseudo-code examples Violation

using System.IO;
using System.Web.UI;

public class ExampleClass
{
    public object MyDeserialize(byte[] bytes)
    {
        ObjectStateFormatter formatter = new ObjectStateFormatter();
        return formatter.Deserialize(new MemoryStream(bytes));
    }
}

Imports System.IO
Imports System.Web.UI

Public Class ExampleClass
    Public Function MyDeserialize(bytes As Byte()) As Object
        Dim formatter As ObjectStateFormatter = New ObjectStateFormatter()
        Return formatter.Deserialize(New MemoryStream(bytes))
    End Function
End Class

Collaborate with us on GitHub

The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.

Additional resources

In this article

Was this page helpful?

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4