CA5367: Do not serialize types with pointer fields
| Property | Value |
|---|---|
| Rule ID | CA5367 |
| Title | Do not serialize types with pointer fields |
| Category | Security |
| Fix is breaking or non-breaking | Non-breaking |
| Enabled by default in .NET 8 | No |
Cause
Pointers are not type safe, which means you cannot guarantee the correctness of the memory they point at. So, serializing types with pointer fields is a security risk, as it may allow an attacker to control the pointer.
Rule description
This rule checks whether there’s a serializable class with a pointer field or property. Members that can’t be serialized can be a pointer, such as static members or fields marked with System.NonSerializedAttribute.
How to fix violations
Don't use pointer types for members in a serializable class or don't serialize the members that are pointers.
When to suppress warnings
Don't take the risk to use pointers in serializable types.
Pseudo-code examples
Violation
using System;
[Serializable()]
unsafe class TestClassA
{
private int* pointer;
}
Solution 1
using System;
[Serializable()]
unsafe class TestClassA
{
private int i;
}
Solution 2
using System;
[Serializable()]
unsafe class TestClassA
{
private static int* pointer;
}
Sarađujte sa nama na GitHub-u
Izvor za ovaj sadržaj možete da pronađete u usluzi GitHub, gde možete i da kreirate i pregledate probleme i povučete zahteve. Više informacija potražite u našem vodiču za saradnike.
