Sündmused
17. märts, 21 - 21. märts, 10
Liituge sarjaga, et luua muude arendajate ja ekspertidega skaleeritavad tehisintellektilahendused, mis põhinevad reaalajas kasutusjuhtumitel.
Registreeruge koheCA2354: Unsafe DataSet or DataTable in deserialized object graph can be vulnerable to remote code execution attack
| Property | Value |
|---|---|
| Rule ID | CA2354 |
| Title | Unsafe DataSet or DataTable in deserialized object graph can be vulnerable to remote code execution attack |
| Category | Security |
| Fix is breaking or non-breaking | Non-breaking |
| Enabled by default in .NET 9 | No |
Deserializing with an System.Runtime.Serialization.IFormatter serialized, and the casted type's object graph can include a DataSet or DataTable.
This rule uses a different approach to a similar rule, CA2352: Unsafe DataSet or DataTable in serializable type can be vulnerable to remote code execution attacks.
When deserializing untrusted input with BinaryFormatter and the deserialized object graph contains a DataSet or DataTable, an attacker can craft a malicious payload to perform a remote code execution attack.
For more information, see DataSet and DataTable security guidance.
- If possible, use Entity Framework rather than DataSet and DataTable.
- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
It's safe to suppress a warning from this rule if:
- You know the input is trusted. Consider that your application's trust boundary and data flows may change over time.
- You've taken one of the precautions in How to fix violations.
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
C#
#pragma warning disable CA2354
// The code that's violating the rule is on this line.
#pragma warning restore CA2354
To disable the rule for a file, folder, or project, set its severity to none in the configuration file.
ini
[*.{cs,vb}]
dotnet_diagnostic.CA2354.severity = none
For more information, see How to suppress code analysis warnings.
C#
using System.Data;
using System.IO;
using System.Runtime.Serialization;
[Serializable]
public class MyClass
{
public MyOtherClass OtherClass { get; set; }
}
[Serializable]
public class MyOtherClass
{
private DataSet myDataSet;
}
public class ExampleClass
{
public MyClass Deserialize(Stream stream)
{
BinaryFormatter bf = new BinaryFormatter();
return (MyClass) bf.Deserialize(stream);
}
}
CA2350: Ensure DataTable.ReadXml()'s input is trusted
CA2351: Ensure DataSet.ReadXml()'s input is trusted
CA2353: Unsafe DataSet or DataTable in serializable type
CA2355: Unsafe DataSet or DataTable in deserialized object graph
CA2356: Unsafe DataSet or DataTable in web deserialized object graph
CA2361: Ensure autogenerated class containing DataSet.ReadXml() is not used with untrusted data
Tehke meiega GitHubis koostööd
Selle sisu allika leiate GitHubist, kus saate ka probleeme luua ja läbi vaadata ning päringuid teha. Lisateavet leiate meie kaasautorite juhendist.
Toote „.NET“ tagasiside
.NET on avatud lähtekoodiga projekt. Tagasiside andmiseks valige link: