CA2355: Unsafe DataSet or DataTable in deserialized object graph
| Property | Value |
|---|---|
| Rule ID | CA2355 |
| Title | Unsafe DataSet or DataTable in deserialized object graph |
| Category | Security |
| Fix is breaking or non-breaking | Non-breaking |
| Enabled by default in .NET 9 | No |
Deserializing when the casted or specified type's object graph can include a DataSet or DataTable.
This rule uses a different approach to a similar rule, CA2353: Unsafe DataSet or DataTable in serializable type.
The casted or specified type is evaluated when:
- Initializing a DataContractSerializer object
- Initializing a DataContractJsonSerializer object
- Initializing an XmlSerializer object
- Invoking JavaScriptSerializer.Deserialize
- Invoking JavaScriptSerializer.DeserializeObject
- Invoking XmlSerializer.FromTypes
- Invoking Newtonsoft Json.NET JsonSerializer.Deserialize
- Invoking Newtonsoft Json.NET JsonConvert.DeserializeObject
When deserializing untrusted input with BinaryFormatter and the deserialized object graph contains a DataSet or DataTable, an attacker can craft a malicious payload to perform a denial of service attack. There may be unknown remote code execution vulnerabilities.
For more information, see DataSet and DataTable security guidance.
- If possible, use Entity Framework rather than DataSet and DataTable.
- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
It's safe to suppress a warning from this rule if:
- You know the input is trusted. Consider that your application's trust boundary and data flows may change over time.
- You've taken one of the precautions in How to fix violations.
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA2355
// The code that's violating the rule is on this line.
#pragma warning restore CA2355
To disable the rule for a file, folder, or project, set its severity to none in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA2355.severity = none
For more information, see How to suppress code analysis warnings.
using System.Data;
using System.IO;
using System.Runtime.Serialization;
[Serializable]
public class MyClass
{
public MyOtherClass OtherClass { get; set; }
}
[Serializable]
public class MyOtherClass
{
private DataSet myDataSet;
}
public class ExampleClass
{
public MyClass Deserialize(Stream stream)
{
BinaryFormatter bf = new BinaryFormatter();
return (MyClass) bf.Deserialize(stream);
}
}
CA2350: Ensure DataTable.ReadXml()'s input is trusted
CA2351: Ensure DataSet.ReadXml()'s input is trusted
CA2353: Unsafe DataSet or DataTable in serializable type
CA2356: Unsafe DataSet or DataTable in web deserialized object graph
CA2361: Ensure autogenerated class containing DataSet.ReadXml() is not used with untrusted data
.NET feedback
.NET is an open source project. Select a link to provide feedback: