CA2310: Do not use insecure deserializer NetDataContractSerializer

TypeName DoNotUseInsecureDeserializerNetDataContractSerializer
CheckId CA2310
Category Microsoft.Security
Breaking change Non-breaking

Cause

A System.Runtime.Serialization.NetDataContractSerializer deserialization method was called or referenced.

Rule description

Insecure deserializers are vulnerable when deserializing untrusted data. An attacker could modify the serialized data to include unexpected types to inject objects with malicious side effects. An attack against an insecure deserializer could, for example, execute commands on the underlying operating system, communicate over the network, or delete files.

This rule finds System.Runtime.Serialization.NetDataContractSerializer deserialization method calls or references. If you want to deserialize only when the Binder property is set to restrict types, disable this rule and enable rules CA2311 and CA2312 instead.

How to fix violations

When to suppress warnings

It's safe to suppress a warning from this rule if:

  • You know the input is trusted. Consider that your application's trust boundary and data flows may change over time.
  • You've taken one of the precautions in How to fix violations.

Pseudo-code examples

Violation

using System.IO;
using System.Runtime.Serialization;

public class ExampleClass
{
    public object MyDeserialize(byte[] bytes)
    {
        NetDataContractSerializer serializer = new NetDataContractSerializer();
        return serializer.Deserialize(new MemoryStream(bytes));
    }
}
Imports System.IO
Imports System.Runtime.Serialization

Public Class ExampleClass
    Public Function MyDeserialize(bytes As Byte()) As Object
        Dim serializer As NetDataContractSerializer = New NetDataContractSerializer()
        Return serializer.Deserialize(New MemoryStream(bytes))
    End Function
End Class

CA2311: Do not deserialize without first setting NetDataContractSerializer.Binder

CA2312: Ensure NetDataContractSerializer.Binder is set before deserializing