CA5367: Do not serialize types with pointer fields
| Property | Value |
|---|---|
| Rule ID | CA5367 |
| Title | Do not serialize types with pointer fields |
| Category | Security |
| Fix is breaking or non-breaking | Non-breaking |
| Enabled by default in .NET 8 | No |
Cause
Pointers are not type safe, which means you cannot guarantee the correctness of the memory they point at. So, serializing types with pointer fields is a security risk, as it may allow an attacker to control the pointer.
Rule description
This rule checks whether there’s a serializable class with a pointer field or property. Members that can’t be serialized can be a pointer, such as static members or fields marked with System.NonSerializedAttribute.
How to fix violations
Don't use pointer types for members in a serializable class or don't serialize the members that are pointers.
When to suppress warnings
Don't take the risk to use pointers in serializable types.
Pseudo-code examples
Violation
using System;
[Serializable()]
unsafe class TestClassA
{
private int* pointer;
}
Solution 1
using System;
[Serializable()]
unsafe class TestClassA
{
private int i;
}
Solution 2
using System;
[Serializable()]
unsafe class TestClassA
{
private static int* pointer;
}
Collaborate with us on GitHub
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.
