CA2310: Do not use insecure deserializer NetDataContractSerializer
| Property | Value |
|---|---|
| Rule ID | CA2310 |
| Title | Do not use insecure deserializer NetDataContractSerializer |
| Category | Security |
| Fix is breaking or non-breaking | Non-breaking |
| Enabled by default in .NET 8 | No |
Cause
A System.Runtime.Serialization.NetDataContractSerializer deserialization method was called or referenced.
Rule description
Insecure deserializers are vulnerable when deserializing untrusted data. An attacker could modify the serialized data to include unexpected types to inject objects with malicious side effects. An attack against an insecure deserializer could, for example, execute commands on the underlying operating system, communicate over the network, or delete files.
This rule finds System.Runtime.Serialization.NetDataContractSerializer deserialization method calls or references. If you want to deserialize only when the Binder property is set to restrict types, disable this rule and enable rules CA2311 and CA2312 instead. Limiting which types can be deserialized can help mitigate against known remote code execution attacks, but your deserialization will still be vulnerable to denial of service attacks.
NetDataContractSerializer is insecure and can't be made secure. For more information, see the BinaryFormatter security guide.
How to fix violations
- Use a secure serializer instead, and don't allow an attacker to specify an arbitrary type to deserialize. For more information see the Preferred alternatives.
- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
- This option makes code vulnerable to denial of service attacks and possible remote code execution attacks in the future. For more information, see the BinaryFormatter security guide. Restrict deserialized types. Implement a custom System.Runtime.Serialization.SerializationBinder. Before deserializing, set the
Binderproperty to an instance of your custom SerializationBinder in all code paths. In the overridden BindToType method, if the type is unexpected, throw an exception to stop deserialization.
When to suppress warnings
NetDataContractSerializer is insecure and can't be made secure.
Pseudo-code examples
Violation
using System.IO;
using System.Runtime.Serialization;
public class ExampleClass
{
public object MyDeserialize(byte[] bytes)
{
NetDataContractSerializer serializer = new NetDataContractSerializer();
return serializer.Deserialize(new MemoryStream(bytes));
}
}
Imports System.IO
Imports System.Runtime.Serialization
Public Class ExampleClass
Public Function MyDeserialize(bytes As Byte()) As Object
Dim serializer As NetDataContractSerializer = New NetDataContractSerializer()
Return serializer.Deserialize(New MemoryStream(bytes))
End Function
End Class
Related rules
CA2311: Do not deserialize without first setting NetDataContractSerializer.Binder
CA2312: Ensure NetDataContractSerializer.Binder is set before deserializing
