CA5367: Do not serialize types with pointer fields
| Property | Value |
|---|---|
| Rule ID | CA5367 |
| Title | Do not serialize types with pointer fields |
| Category | Security |
| Fix is breaking or non-breaking | Non-breaking |
| Enabled by default in .NET 8 | No |
Cause
Pointers are not type safe, which means you cannot guarantee the correctness of the memory they point at. So, serializing types with pointer fields is a security risk, as it may allow an attacker to control the pointer.
Rule description
This rule checks whether there’s a serializable class with a pointer field or property. Members that can’t be serialized can be a pointer, such as static members or fields marked with System.NonSerializedAttribute.
How to fix violations
Don't use pointer types for members in a serializable class or don't serialize the members that are pointers.
When to suppress warnings
Don't take the risk to use pointers in serializable types.
Pseudo-code examples
Violation
using System;
[Serializable()]
unsafe class TestClassA
{
private int* pointer;
}
Solution 1
using System;
[Serializable()]
unsafe class TestClassA
{
private int i;
}
Solution 2
using System;
[Serializable()]
unsafe class TestClassA
{
private static int* pointer;
}
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for