CA2305: Do not use insecure deserializer LosFormatter
Property | Value |
---|---|
Rule ID | CA2305 |
Title | Do not use insecure deserializer LosFormatter |
Category | Security |
Fix is breaking or non-breaking | Non-breaking |
Enabled by default in .NET 9 | No |
Cause
A System.Web.UI.LosFormatter deserialization method was called or referenced.
Rule description
Insecure deserializers are vulnerable when deserializing untrusted data. An attacker could modify the serialized data to include unexpected types to inject objects with malicious side effects. An attack against an insecure deserializer could, for example, execute commands on the underlying operating system, communicate over the network, or delete files.
This rule finds System.Web.UI.LosFormatter deserialization method calls or references.
LosFormatter
is insecure and can't be made secure. For more information, see the BinaryFormatter security guide.
How to fix violations
- Use a secure serializer instead, and don't allow an attacker to specify an arbitrary type to deserialize. For more information see Preferred alternatives.
- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
When to suppress warnings
LosFormatter
is insecure and can't be made secure.
Pseudo-code examples
Violation
using System.IO;
using System.Web.UI;
public class ExampleClass
{
public object MyDeserialize(byte[] bytes)
{
LosFormatter formatter = new LosFormatter();
return formatter.Deserialize(new MemoryStream(bytes));
}
}
Imports System.IO
Imports System.Web.UI
Public Class ExampleClass
Public Function MyDeserialize(bytes As Byte()) As Object
Dim formatter As LosFormatter = New LosFormatter()
Return formatter.Deserialize(New MemoryStream(bytes))
End Function
End Class