CA2305Security Enabled by default: No

Do not use insecure deserializer LosFormatter

Microsoft docs

Description

This rule finds System.Web.UI.LosFormatter deserialization method calls or references.

LosFormatter is insecure and can't be made secure. For more information, see the BinaryFormatter security guide.

Cause

A System.Web.UI.LosFormatter deserialization method was called or referenced.

How to fix violations

Use a secure serializer instead, and don't allow an attacker to specify an arbitrary type to deserialize. For more information see Preferred alternatives.
Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.

Example

using System.IO;
using System.Web.UI;

public class ExampleClass
{
    public object MyDeserialize(byte[] bytes)
    {
        LosFormatter formatter = new LosFormatter();
        return formatter.Deserialize(new MemoryStream(bytes));
    }
}

When to suppress

LosFormatter is insecure and can't be made secure.

Your vote

Join a group to vote

Group results

0 yes 0 no

ConsensusNone (disabled)

Severity preference (yes voters)

Suggestion0

Warning0

Error0