CA2356: Unsafe DataSet or DataTable type in web deserialized object graph

Value
Rule ID CA2356
Category Security
Fix is breaking or non-breaking Non-breaking

Cause

A method with a System.Web.Services.WebMethodAttribute or System.ServiceModel.OperationContractAttribute has a parameter that may reference a DataSet or DataTable.

This rule uses a different approach to a similar rule, CA2355: Unsafe DataSet or DataTable in deserialized object graph and will find different warnings.

Rule description

When deserializing untrusted input and the deserialized object graph contains a DataSet or DataTable, an attacker can craft a malicious payload to perform a denial of service attack. There may be unknown remote code execution vulnerabilities.

For more information, see DataSet and DataTable security guidance.

How to fix violations

  • If possible, use Entity Framework rather than DataSet and DataTable.
  • Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.

When to suppress warnings

It's safe to suppress a warning from this rule if:

  • You know the input is trusted. Consider that your application's trust boundary and data flows may change over time.
  • You've taken one of the precautions in How to fix violations.

Pseudo-code examples

Violation

using System;
using System.Data;
using System.Web.Services;

[WebService(Namespace = "http://contoso.example.com/")]
public class MyService : WebService
{
    [WebMethod]
    public string MyWebMethod(DataTable dataTable)
    {
        return null;
    }
}

CA2350: Ensure DataTable.ReadXml()'s input is trusted

CA2351: Ensure DataSet.ReadXml()'s input is trusted

CA2352: Unsafe DataSet or DataTable in serializable type can be vulnerable to remote code execution attacks

CA2353: Unsafe DataSet or DataTable in serializable type

CA2354: Unsafe DataSet or DataTable in deserialized object graph can be vulnerable to remote code execution attack

CA2355: Unsafe DataSet or DataTable in deserialized object graph

CA2361: Ensure DataSet.ReadXml()'s input is trusted

CA2362: Unsafe DataSet or DataTable in autogenerated serializable type can be vulnerable to remote code execution attacks