CA2326: Do not use TypeNameHandling values other than None
Property | Value |
---|---|
Rule ID | CA2326 |
Title | Do not use TypeNameHandling values other than None |
Category | Security |
Fix is breaking or non-breaking | Non-breaking |
Enabled by default in .NET 9 | No |
Cause
This rule fires when either of the following conditions are met:
- A Newtonsoft.Json.TypeNameHandling enumeration value, other than
None
, is referenced. - An integer value representing a non-zero value is assigned to a TypeNameHandling variable.
Rule description
Insecure deserializers are vulnerable when deserializing untrusted data. An attacker could modify the serialized data to include unexpected types to inject objects with malicious side effects. An attack against an insecure deserializer could, for example, execute commands on the underlying operating system, communicate over the network, or delete files.
This rule finds Newtonsoft.Json.TypeNameHandling values other than None
. If you want to deserialize only when a Newtonsoft.Json.Serialization.ISerializationBinder is specified to restrict deserialized types, disable this rule and enable rules CA2327, CA2328, CA2329, and CA2330 instead.
How to fix violations
- Use TypeNameHandling's
None
value, if possible. - Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
- Restrict deserialized types. Implement a custom Newtonsoft.Json.Serialization.ISerializationBinder. Before deserializing with Json.NET, ensure your custom ISerializationBinder is specified in the Newtonsoft.Json.JsonSerializerSettings.SerializationBinder property. In the overridden Newtonsoft.Json.Serialization.ISerializationBinder.BindToType method, if the type is unexpected, return
null
or throw an exception to stop deserialization.- If you restrict deserialized types, you may want to disable this rule and enable rules CA2327, CA2328, CA2329, and CA2330. Rules CA2327, CA2328, CA2329, and CA2330 help to ensure that you use an ISerializationBinder when using TypeNameHandling values other than
None
.
- If you restrict deserialized types, you may want to disable this rule and enable rules CA2327, CA2328, CA2329, and CA2330. Rules CA2327, CA2328, CA2329, and CA2330 help to ensure that you use an ISerializationBinder when using TypeNameHandling values other than
When to suppress warnings
It's safe to suppress a warning from this rule if:
- You know the input is trusted. Consider that your application's trust boundary and data flows may change over time.
- You've taken one of the precautions in How to fix violations.
Suppress a warning
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA2326
// The code that's violating the rule is on this line.
#pragma warning restore CA2326
To disable the rule for a file, folder, or project, set its severity to none
in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA2326.severity = none
For more information, see How to suppress code analysis warnings.
Pseudo-code examples
Violation
using Newtonsoft.Json;
public class ExampleClass
{
public JsonSerializerSettings Settings { get; }
public ExampleClass()
{
Settings = new JsonSerializerSettings();
Settings.TypeNameHandling = TypeNameHandling.All; // CA2326 violation.
}
}
Imports Newtonsoft.Json
Public Class ExampleClass
Public ReadOnly Property Settings() As JsonSerializerSettings
Public Sub New()
Settings = New JsonSerializerSettings()
Settings.TypeNameHandling = TypeNameHandling.All ' CA2326 violation.
End Sub
End Class
Solution
using Newtonsoft.Json;
public class ExampleClass
{
public JsonSerializerSettings Settings { get; }
public ExampleClass()
{
Settings = new JsonSerializerSettings();
// The default value of Settings.TypeNameHandling is TypeNameHandling.None.
}
}
Imports Newtonsoft.Json
Public Class ExampleClass
Public ReadOnly Property Settings() As JsonSerializerSettings
Public Sub New()
Settings = New JsonSerializerSettings()
' The default value of Settings.TypeNameHandling is TypeNameHandling.None.
End Sub
End Class
Related rules
CA2327: Do not use insecure JsonSerializerSettings
CA2328: Ensure that JsonSerializerSettings are secure
CA2329: Do not deserialize with JsonSerializer using an insecure configuration
CA2330: Ensure that JsonSerializer has a secure configuration when deserializing