CA5367: Do not serialize types with pointer fields
Property | Value |
---|---|
Rule ID | CA5367 |
Title | Do not serialize types with pointer fields |
Category | Security |
Fix is breaking or non-breaking | Non-breaking |
Enabled by default in .NET 9 | No |
Cause
Pointers are not type safe, which means you cannot guarantee the correctness of the memory they point at. So, serializing types with pointer fields is a security risk, as it may allow an attacker to control the pointer.
Rule description
This rule checks whether there’s a serializable class with a pointer field or property. Members that can’t be serialized can be a pointer, such as static members or fields marked with System.NonSerializedAttribute.
How to fix violations
Don't use pointer types for members in a serializable class or don't serialize the members that are pointers.
When to suppress warnings
Don't take the risk to use pointers in serializable types.
Pseudo-code examples
Violation
using System;
[Serializable()]
unsafe class TestClassA
{
private int* pointer;
}
Solution 1
using System;
[Serializable()]
unsafe class TestClassA
{
private int i;
}
Solution 2
using System;
[Serializable()]
unsafe class TestClassA
{
private static int* pointer;
}