Do not deserialize without first setting NetDataContractSerializer.Binder
Do not deserialize without first setting NetDataContractSerializer.Binder
Microsoft docsDescription
This rule finds System.Runtime.Serialization.NetDataContractSerializer deserialization method calls or references, when System.Runtime.Serialization.NetDataContractSerializer doesn't have its System.Runtime.Serialization.NetDataContractSerializer.Binder set. If you want to disallow any deserialization with System.Runtime.Serialization.NetDataContractSerializer regardless of the System.Runtime.Serialization.NetDataContractSerializer.Binder property, disable this rule and CA2312, and enable rule CA2310.
Cause
A System.Runtime.Serialization.NetDataContractSerializer deserialization method was called or referenced without the System.Runtime.Serialization.NetDataContractSerializer.Binder property set.
By default, this rule analyzes the entire codebase, but this is configurable. Restricting types with a SerializationBinder can't prevent all attacks. For more information, see the BinaryFormatter security guide.
Example
using System;
using System.IO;
using System.Runtime.Serialization;
[DataContract]
public class BookRecord
{
[DataMember]
public string Title { get; set; }
[DataMember]
public AisleLocation Location { get; set; }
}
[DataContract]
public class AisleLocation
{
[DataMember]
public char Aisle { get; set; }
[DataMember]
public byte Shelf { get; set; }
}
public class ExampleClass
{
public BookRecord DeserializeBookRecord(byte[] bytes)
{
NetDataContractSerializer serializer = new NetDataContractSerializer();
using (MemoryStream ms = new MemoryStream(bytes))
{
return (BookRecord) serializer.Deserialize(ms); // CA2311 violation
}
}
}
using System;
using System.IO;
using System.Runtime.Serialization;
public class BookRecordSerializationBinder : SerializationBinder
{
public override Type BindToType(string assemblyName, string typeName)
{
// One way to discover expected types is through testing deserialization
// of **valid** data and logging the types used.
////Console.WriteLine($"BindToType('{assemblyName}', '{typeName}')");
if (typeName == "BookRecord")
{
return typeof(BookRecord);
}
else if (typeName == "AisleLocation")
{
return typeof(AisleLocation);
}
else
{
throw new ArgumentException("Unexpected type", nameof(typeName));
}
}
}
[DataContract]
public class BookRecord
{
[DataMember]
public string Title { get; set; }
[DataMember]
public AisleLocation Location { get; set; }
}
[DataContract]
public class AisleLocation
{
[DataMember]
public char Aisle { get; set; }
[DataMember]
public byte Shelf { get; set; }
}
public class ExampleClass
{
public BookRecord DeserializeBookRecord(byte[] bytes)
{
NetDataContractSerializer serializer = new NetDataContractSerializer();
serializer.Binder = new BookRecordSerializationBinder();
using (MemoryStream ms = new MemoryStream(bytes))
{
return (BookRecord) serializer.Deserialize(ms);
}
}
}When to suppress
NetDataContractSerializer is insecure and can't be made secure.