CA2300Security Enabled by default: No

Do not use insecure deserializer BinaryFormatter

Description

This rule finds System.Runtime.Serialization.Formatters.Binary.BinaryFormatter deserialization method calls or references. If you want to deserialize only when the System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder property is set to restrict types, disable this rule and enable rules CA2301 and CA2302 instead. Limiting which types can be deserialized can help mitigate against known remote code execution attacks, but your deserialization will still be vulnerable to denial of service attacks.

Cause

A System.Runtime.Serialization.Formatters.Binary.BinaryFormatter deserialization method was called or referenced.

Example

using System.IO;
using System.Runtime.Serialization.Formatters.Binary;

public class ExampleClass
{
    public object MyDeserialize(byte[] bytes)
    {
        BinaryFormatter formatter = new BinaryFormatter();
        return formatter.Deserialize(new MemoryStream(bytes));
    }
}

Your vote

Join a group to vote

Group results

0 yes 0 no

ConsensusNone (disabled)

Severity preference (yes voters)

Suggestion0

Warning0

Error0