CA5362: Potential reference cycle in deserialized object graph
Property | Value |
---|---|
Rule ID | CA5362 |
Title | Potential reference cycle in deserialized object graph |
Category | Security |
Fix is breaking or non-breaking | Non-breaking |
Enabled by default in .NET 9 | No |
Cause
A class marked with the System.SerializableAttribute has a field or property may refer to the containing object directly or indirectly, allowing for a potential reference cycle.
Rule description
If deserializing untrusted data, then any code processing the deserialized object graph needs to handle reference cycles without going into infinite loops. This includes both code that's part of a deserialization callback and code that processes the object graph after deserialization completed. Otherwise, an attacker could perform a Denial-of-Service attack with malicious data containing a reference cycle.
This rule doesn't necessarily mean there's a vulnerability, but just flags potential reference cycles in deserialized object graphs.
How to fix violations
Don't serialize the class and remove the SerializableAttribute. Or, redesign your application so that the self-referred members can be removed out of the serializable class.
When to suppress warnings
It's safe to suppress a warning from this rule if:
- You know the input is trusted. Consider that your application's trust boundary and data flows may change over time.
- All code processing the deserialized data detects and handles reference cycles without going into an infinite loop or using excessive resources.
Suppress a warning
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA5362
// The code that's violating the rule is on this line.
#pragma warning restore CA5362
To disable the rule for a file, folder, or project, set its severity to none
in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA5362.severity = none
For more information, see How to suppress code analysis warnings.
Pseudo-code examples
Potential reference cycle violation
using System;
[Serializable()]
class ExampleClass
{
public ExampleClass ExampleProperty {get; set;}
public int NormalProperty {get; set;}
}
class AnotherClass
{
// The argument passed by could be `JsonConvert.DeserializeObject<ExampleClass>(untrustedData)`.
public void AnotherMethod(ExampleClass ec)
{
while(ec != null)
{
Console.WriteLine(ec.ToString());
ec = ec.ExampleProperty;
}
}
}
Solution
using System;
[Serializable()]
class ExampleClass
{
[NonSerialized]
public ExampleClass ExampleProperty {get; set;}
public int NormalProperty {get; set;}
}
class AnotherClass
{
// The argument passed by could be `JsonConvert.DeserializeObject<ExampleClass>(untrustedData)`.
public void AnotherMethod(ExampleClass ec)
{
while(ec != null)
{
Console.WriteLine(ec.ToString());
ec = ec.ExampleProperty;
}
}
}