The DataSet.ReadXml method was called or referenced, and is within autogenerated code.
This rule classifies autogenerated code b:
ReadXmlSerializable.ReadXmlSerializable method has a System.Diagnostics.DebuggerNonUserCodeAttribute.ReadXmlSerializable method is within a type that has a System.ComponentModel.DesignerCategoryAttribute.CA2351 is a similar rule, for when DataSet.ReadXml appears within non-autogenerated code.
Rule descriptionWhen deserializing a DataSet with untrusted input, an attacker can craft malicious input to perform a denial of service attack. There may be unknown remote code execution vulnerabilities.
This rule is like CA2351, but for autogenerated code for an in-memory representation of data within a GUI application. Usually, these autogenerated classes aren't deserialized from untrusted input. Your application's usage may vary.
For more information, see DataSet and DataTable security guidance.
How to fix violationsIt's safe to suppress a warning from this rule if:
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA2361
// The code that's violating the rule is on this line.
#pragma warning restore CA2361
To disable the rule for a file, folder, or project, set its severity to none in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA2361.severity = none
For more information, see How to suppress code analysis warnings.
Pseudo-code examples Violationnamespace ExampleNamespace
{
/// <summary>
///Represents a strongly typed in-memory cache of data.
///</summary>
[global::System.Serializable()]
[global::System.ComponentModel.DesignerCategoryAttribute("code")]
[global::System.ComponentModel.ToolboxItem(true)]
[global::System.Xml.Serialization.XmlSchemaProviderAttribute("GetTypedDataSetSchema")]
[global::System.Xml.Serialization.XmlRootAttribute("Package")]
[global::System.ComponentModel.Design.HelpKeywordAttribute("vs.data.DataSet")]
public partial class Something : global::System.Data.DataSet {
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
[global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Data.Design.TypedDataSetGenerator", "4.0.0.0")]
protected override void ReadXmlSerializable(global::System.Xml.XmlReader reader) {
if ((this.DetermineSchemaSerializationMode(reader) == global::System.Data.SchemaSerializationMode.IncludeSchema)) {
this.Reset();
global::System.Data.DataSet ds = new global::System.Data.DataSet();
ds.ReadXml(reader);
if ((ds.Tables["Something"] != null)) {
base.Tables.Add(new SomethingTable(ds.Tables["Something"]));
}
this.DataSetName = ds.DataSetName;
this.Prefix = ds.Prefix;
this.Namespace = ds.Namespace;
this.Locale = ds.Locale;
this.CaseSensitive = ds.CaseSensitive;
this.EnforceConstraints = ds.EnforceConstraints;
this.Merge(ds, false, global::System.Data.MissingSchemaAction.Add);
this.InitVars();
}
else {
this.ReadXml(reader);
this.InitVars();
}
}
}
}
CA2350: Ensure DataTable.ReadXml()'s input is trusted
CA2351: Ensure DataSet.ReadXml()'s input is trusted
CA2353: Unsafe DataSet or DataTable in serializable type
CA2355: Unsafe DataSet or DataTable in deserialized object graph
CA2356: Unsafe DataSet or DataTable in web deserialized object graph
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4