Unsafe DataSet or DataTable in serializable type can be vulnerable to remote code execution attacks

When deserializing untrusted input with System.Runtime.Serialization.Formatters.Binary.BinaryFormatter and the deserialized object graph contains a System.Data.DataSet or System.Data.DataTable, an attacker can craft a malicious payload to perform a remote code execution attack.

This rule finds types which are insecure when deserialized. If your code doesn't deserialize the types found, then you don't have a deserialization vulnerability.

For more information, see DataSet and DataTable security guidance.

A class or struct marked with System.SerializableAttribute contains a System.Data.DataSet or System.Data.DataTable field or property, and doesn't have a System.ComponentModel.DesignerCategoryAttribute.

CA2362 is a similar rule, for when there is a System.ComponentModel.DesignerCategoryAttribute.

• If possible, use Entity Framework rather than System.Data.DataSet and System.Data.DataTable.
• Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.

It's safe to suppress a warning from this rule if:

• The type found by this rule is never deserialized, either directly or indirectly.
• You know the input is trusted. Consider that your application's trust boundary and data flows may change over time.
• You've taken one of the precautions in How to fix violations.