Rediger

Del via


CA5367: Do not serialize types with pointer fields

Property Value
Rule ID CA5367
Title Do not serialize types with pointer fields
Category Security
Fix is breaking or non-breaking Non-breaking
Enabled by default in .NET 9 No

Cause

Pointers are not type safe, which means you cannot guarantee the correctness of the memory they point at. So, serializing types with pointer fields is a security risk, as it may allow an attacker to control the pointer.

Rule description

This rule checks whether there’s a serializable class with a pointer field or property. Members that can’t be serialized can be a pointer, such as static members or fields marked with System.NonSerializedAttribute.

How to fix violations

Don't use pointer types for members in a serializable class or don't serialize the members that are pointers.

When to suppress warnings

Don't take the risk to use pointers in serializable types.

Pseudo-code examples

Violation

using System;

[Serializable()]
unsafe class TestClassA
{
    private int* pointer;
}

Solution 1

using System;

[Serializable()]
unsafe class TestClassA
{
    private int i;
}

Solution 2

using System;

[Serializable()]
unsafe class TestClassA
{
    private static int* pointer;
}