CA5360: Do not call dangerous methods in deserialization
| Property | Value |
|---|---|
| Rule ID | CA5360 |
| Title | Do not call dangerous methods in deserialization |
| Category | Security |
| Fix is breaking or non-breaking | Non-breaking |
| Enabled by default in .NET 8 | No |
Cause
Calling one of the following dangerous methods in deserialization:
- System.IO.Directory.Delete
- System.IO.DirectoryInfo.Delete
- System.IO.File.AppendAllLines
- System.IO.File.AppendAllText
- System.IO.File.AppendText
- System.IO.File.Copy
- System.IO.File.Delete
- System.IO.File.WriteAllBytes
- System.IO.File.WriteAllLines
- System.IO.File.WriteAllText
- System.IO.FileInfo.Delete
- System.IO.Log.LogStore.Delete
- System.Reflection.Assembly.GetLoadedModules
- System.Reflection.Assembly.Load
- System.Reflection.Assembly.LoadFrom
- System.Reflection.Assembly.LoadFile
- System.Reflection.Assembly.LoadModule
- System.Reflection.Assembly.LoadWithPartialName
- System.Reflection.Assembly.ReflectionOnlyLoad
- System.Reflection.Assembly.ReflectionOnlyLoadFrom
- System.Reflection.Assembly.UnsafeLoadFrom
All methods meets one of the following requirements could be the callback of deserialization:
- Marked with System.Runtime.Serialization.OnDeserializingAttribute.
- Marked with System.Runtime.Serialization.OnDeserializedAttribute.
- Implementing System.Runtime.Serialization.IDeserializationCallback.OnDeserialization.
- Implementing System.IDisposable.Dispose.
- Is a destructor.
Rule description
Insecure deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a Denial-of-Service (DoS) attack, or even execute arbitrary code upon it being deserialized. It's frequently possible for malicious users to abuse these deserialization features when the application is deserializing untrusted data which is under their control. Specifically, invoke dangerous methods in the process of deserialization. Successful insecure deserialization attacks could allow an attacker to carry out attacks such as DoS attacks, authentication bypasses, and remote code execution.
How to fix violations
Remove these dangerous methods from automatically run deserialization callbacks. Call dangerous methods only after validating the input.
When to suppress warnings
It's safe to suppress this rule if:
- You know the input is trusted. Consider that your application's trust boundary and data flows may change over time.
- The serialized data is tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
- The data is validated as safe to the application.
Suppress a warning
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA5360
// The code that's violating the rule is on this line.
#pragma warning restore CA5360
To disable the rule for a file, folder, or project, set its severity to none in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA5360.severity = none
For more information, see How to suppress code analysis warnings.
Pseudo-code examples
Violation
using System;
using System.IO;
using System.Runtime.Serialization;
[Serializable()]
public class ExampleClass : IDeserializationCallback
{
private string member;
void IDeserializationCallback.OnDeserialization(Object sender)
{
var sourceFileName = "malicious file";
var destFileName = "sensitive file";
File.Copy(sourceFileName, destFileName);
}
}
Solution
using System;
using System.IO;
using System.Runtime.Serialization;
[Serializable()]
public class ExampleClass : IDeserializationCallback
{
private string member;
void IDeserializationCallback.OnDeserialization(Object sender)
{
var sourceFileName = "malicious file";
var destFileName = "sensitive file";
// Remove the potential dangerous operation.
// File.Copy(sourceFileName, destFileName);
}
}
