Unsafe DataSet or DataTable in deserialized object graph can be vulnerable to remote code execution attack
Unsafe DataSet or DataTable in deserialized object graph can be vulnerable to remote code execution attack
Microsoft docsDescription
When deserializing untrusted input with System.Runtime.Serialization.Formatters.Binary.BinaryFormatter and the deserialized object graph contains a System.Data.DataSet or System.Data.DataTable, an attacker can craft a malicious payload to perform a remote code execution attack.
For more information, see DataSet and DataTable security guidance.
Cause
Deserializing with an System.Runtime.Serialization.IFormatter serialized, and the casted type's object graph can include a System.Data.DataSet or System.Data.DataTable.
This rule uses a different approach to a similar rule, CA2352: Unsafe DataSet or DataTable in serializable type can be vulnerable to remote code execution attacks.
How to fix violations
- If possible, use Entity Framework rather than System.Data.DataSet and System.Data.DataTable.
- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
Example
using System.Data;
using System.IO;
using System.Runtime.Serialization;
[Serializable]
public class MyClass
{
public MyOtherClass OtherClass { get; set; }
}
[Serializable]
public class MyOtherClass
{
private DataSet myDataSet;
}
public class ExampleClass
{
public MyClass Deserialize(Stream stream)
{
BinaryFormatter bf = new BinaryFormatter();
return (MyClass) bf.Deserialize(stream);
}
}