CA2310Security Enabled by default: No

Do not use insecure deserializer NetDataContractSerializer

Description

This rule finds System.Runtime.Serialization.NetDataContractSerializer deserialization method calls or references. If you want to deserialize only when the System.Runtime.Serialization.NetDataContractSerializer.Binder property is set to restrict types, disable this rule and enable rules CA2311 and CA2312 instead. Limiting which types can be deserialized can help mitigate against known remote code execution attacks, but your deserialization will still be vulnerable to denial of service attacks.

NetDataContractSerializer is insecure and can't be made secure. For more information, see the BinaryFormatter security guide.

Cause

A System.Runtime.Serialization.NetDataContractSerializer deserialization method was called or referenced.

Example

using System.IO;
using System.Runtime.Serialization;

public class ExampleClass
{
    public object MyDeserialize(byte[] bytes)
    {
        NetDataContractSerializer serializer = new NetDataContractSerializer();
        return serializer.Deserialize(new MemoryStream(bytes));
    }
}

When to suppress

NetDataContractSerializer is insecure and can't be made secure.

Your vote

Join a group to vote

Group results

0 yes 0 no

ConsensusNone (disabled)

Severity preference (yes voters)

Suggestion0

Warning0

Error0