RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca5362 below:

CA5362: Potential reference cycle in deserialized object graph (code analysis) - .NET

Property Value Rule ID CA5362 Title Potential reference cycle in deserialized object graph Category Security Fix is breaking or non-breaking Non-breaking Enabled by default in .NET 9 No Cause

A class marked with the System.SerializableAttribute has a field or property may refer to the containing object directly or indirectly, allowing for a potential reference cycle.

Rule description

If deserializing untrusted data, then any code processing the deserialized object graph needs to handle reference cycles without going into infinite loops. This includes both code that's part of a deserialization callback and code that processes the object graph after deserialization completed. Otherwise, an attacker could perform a Denial-of-Service attack with malicious data containing a reference cycle.

This rule doesn't necessarily mean there's a vulnerability, but just flags potential reference cycles in deserialized object graphs.

How to fix violations

Don't serialize the class and remove the SerializableAttribute. Or, redesign your application so that the self-referred members can be removed out of the serializable class.

When to suppress warnings

It's safe to suppress a warning from this rule if:

You know the input is trusted. Consider that your application's trust boundary and data flows may change over time.
All code processing the deserialized data detects and handles reference cycles without going into an infinite loop or using excessive resources.

Suppress a warning

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

#pragma warning disable CA5362
// The code that's violating the rule is on this line.
#pragma warning restore CA5362

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

[*.{cs,vb}]
dotnet_diagnostic.CA5362.severity = none

For more information, see How to suppress code analysis warnings.

Pseudo-code examples Potential reference cycle violation

using System;

[Serializable()]
class ExampleClass
{
    public ExampleClass ExampleProperty {get; set;}

    public int NormalProperty {get; set;}
}

class AnotherClass
{
    // The argument passed by could be `JsonConvert.DeserializeObject<ExampleClass>(untrustedData)`.
    public void AnotherMethod(ExampleClass ec)
    {
        while(ec != null)
        {
            Console.WriteLine(ec.ToString());
            ec = ec.ExampleProperty;
        }
    }
}

Solution

using System;

[Serializable()]
class ExampleClass
{
    [NonSerialized]
    public ExampleClass ExampleProperty {get; set;}

    public int NormalProperty {get; set;}
}

class AnotherClass
{
    // The argument passed by could be `JsonConvert.DeserializeObject<ExampleClass>(untrustedData)`.
    public void AnotherMethod(ExampleClass ec)
    {
        while(ec != null)
        {
            Console.WriteLine(ec.ToString());
            ec = ec.ExampleProperty;
        }
    }
}

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4