A method with a System.Web.Services.WebMethodAttribute or System.ServiceModel.OperationContractAttribute has a parameter that may reference a DataSet or DataTable.
This rule uses a different approach to a similar rule, CA2355: Unsafe DataSet or DataTable in deserialized object graph and will find different warnings.
Rule descriptionWhen deserializing untrusted input and the deserialized object graph contains a DataSet or DataTable, an attacker can craft a malicious payload to perform a denial of service attack. There may be unknown remote code execution vulnerabilities.
For more information, see DataSet and DataTable security guidance.
How to fix violationsIt's safe to suppress a warning from this rule if:
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA2356
// The code that's violating the rule is on this line.
#pragma warning restore CA2356
To disable the rule for a file, folder, or project, set its severity to none in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA2356.severity = none
For more information, see How to suppress code analysis warnings.
Pseudo-code examples Violationusing System;
using System.Data;
using System.Web.Services;
[WebService(Namespace = "http://contoso.example.com/")]
public class MyService : WebService
{
[WebMethod]
public string MyWebMethod(DataTable dataTable)
{
return null;
}
}
CA2350: Ensure DataTable.ReadXml()'s input is trusted
CA2351: Ensure DataSet.ReadXml()'s input is trusted
CA2353: Unsafe DataSet or DataTable in serializable type
CA2355: Unsafe DataSet or DataTable in deserialized object graph
CA2361: Ensure DataSet.ReadXml()'s input is trusted
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4