CA2326: Do not use TypeNameHandling values other than None

Property	Value
Rule ID	CA2326
Title	Do not use TypeNameHandling values other than None
Category	Security
Fix is breaking or non-breaking	Non-breaking
Enabled by default in .NET 9	No

Cause

This rule fires when either of the following conditions are met:

• A Newtonsoft.Json.TypeNameHandling enumeration value, other than None, is referenced.
• An integer value representing a non-zero value is assigned to a TypeNameHandling variable.

Rule description

Insecure deserializers are vulnerable when deserializing untrusted data. An attacker could modify the serialized data to include unexpected types to inject objects with malicious side effects. An attack against an insecure deserializer could, for example, execute commands on the underlying operating system, communicate over the network, or delete files.

This rule finds Newtonsoft.Json.TypeNameHandling values other than None. If you want to deserialize only when a Newtonsoft.Json.Serialization.ISerializationBinder is specified to restrict deserialized types, disable this rule and enable rules CA2327, CA2328, CA2329, and CA2330 instead.

How to fix violations

• Use TypeNameHandling's None value, if possible.
• Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
• Restrict deserialized types. Implement a custom Newtonsoft.Json.Serialization.ISerializationBinder. Before deserializing with Json.NET, ensure your custom ISerializationBinder is specified in the Newtonsoft.Json.JsonSerializerSettings.SerializationBinder property. In the overridden Newtonsoft.Json.Serialization.ISerializationBinder.BindToType method, if the type is unexpected, return null or throw an exception to stop deserialization.
  • If you restrict deserialized types, you may want to disable this rule and enable rules CA2327, CA2328, CA2329, and CA2330. Rules CA2327, CA2328, CA2329, and CA2330 help to ensure that you use an ISerializationBinder when using TypeNameHandling values other than None.

When to suppress warnings

It's safe to suppress a warning from this rule if:

• You know the input is trusted. Consider that your application's trust boundary and data flows may change over time.
• You've taken one of the precautions in How to fix violations.

Suppress a warning

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

C#

#pragma warning disable CA2326
// The code that's violating the rule is on this line.
#pragma warning restore CA2326

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

ini

[*.{cs,vb}]
dotnet_diagnostic.CA2326.severity = none

For more information, see How to suppress code analysis warnings.

Pseudo-code examples

Violation

C#

using Newtonsoft.Json;

public class ExampleClass
{
    public JsonSerializerSettings Settings { get; }

    public ExampleClass()
    {
        Settings = new JsonSerializerSettings();
        Settings.TypeNameHandling = TypeNameHandling.All;    // CA2326 violation.
    }
}

Solution

C#

using Newtonsoft.Json;

public class ExampleClass
{
    public JsonSerializerSettings Settings { get; }

    public ExampleClass()
    {
        Settings = new JsonSerializerSettings();

        // The default value of Settings.TypeNameHandling is TypeNameHandling.None.
    }
}

Related rules

CA2327: Do not use insecure JsonSerializerSettings

CA2328: Ensure that JsonSerializerSettings are secure

CA2329: Do not deserialize with JsonSerializer using an insecure configuration

CA2330: Ensure that JsonSerializer has a secure configuration when deserializing