Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca2353 below:

CA2353: Unsafe DataSet or DataTable in serializable type (code analysis) - .NET

A class or struct marked with an XML serialization attribute or a data contract attribute contains a DataSet or DataTable field or property.

XML serialization attributes include:

• XmlAnyAttributeAttribute
• XmlAnyElementAttribute
• XmlArrayAttribute
• XmlArrayItemAttribute
• XmlChoiceIdentifierAttribute
• XmlElementAttribute
• XmlEnumAttribute
• XmlIgnoreAttribute
• XmlIncludeAttribute
• XmlRootAttribute
• XmlTextAttribute
• XmlTypeAttribute

Data contract serialization attributes include:

• DataContractAttribute
• DataMemberAttribute
• IgnoreDataMemberAttribute
• KnownTypeAttribute

When deserializing untrusted input and the deserialized object graph contains a DataSet or DataTable, an attacker can craft a malicious payload to perform a denial of service attack. There may be unknown remote code execution vulnerabilities.

This rule finds types which are insecure when deserialized. If your code doesn't deserialize the types found, then you don't have a deserialization vulnerability.

For more information, see DataSet and DataTable security guidance.

• If possible, use Entity Framework rather than DataSet and DataTable.
• Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.

It's safe to suppress a warning from this rule if:

• The type found by this rule is never deserialized, either directly or indirectly.
• You know the input is trusted. Consider that your application's trust boundary and data flows may change over time.
• You've taken one of the precautions in How to fix violations.

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

#pragma warning disable CA2353
// The code that's violating the rule is on this line.
#pragma warning restore CA2353

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

[*.{cs,vb}]
dotnet_diagnostic.CA2353.severity = none

For more information, see How to suppress code analysis warnings.

using System.Data;
using System.Runtime.Serialization;

[XmlRoot]
public class MyClass
{
    public DataSet MyDataSet { get; set; }
}

CA2350: Ensure DataTable.ReadXml()'s input is trusted

CA2351: Ensure DataSet.ReadXml()'s input is trusted

CA2352: Unsafe DataSet or DataTable in serializable type can be vulnerable to remote code execution attacks

CA2354: Unsafe DataSet or DataTable in deserialized object graph can be vulnerable to remote code execution attack

CA2355: Unsafe DataSet or DataTable in deserialized object graph

CA2356: Unsafe DataSet or DataTable in web deserialized object graph

CA2361: Ensure autogenerated class containing DataSet.ReadXml() is not used with untrusted data

CA2362: Unsafe DataSet or DataTable in autogenerated serializable type can be vulnerable to remote code execution attacks

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4