Unsafe DataSet or DataTable in deserialized object graph

When deserializing untrusted input with System.Runtime.Serialization.Formatters.Binary.BinaryFormatter and the deserialized object graph contains a System.Data.DataSet or System.Data.DataTable, an attacker can craft a malicious payload to perform a denial of service attack. There may be unknown remote code execution vulnerabilities.

For more information, see DataSet and DataTable security guidance.

Deserializing when the casted or specified type's object graph can include a System.Data.DataSet or System.Data.DataTable.

This rule uses a different approach to a similar rule, CA2353: Unsafe DataSet or DataTable in serializable type.

The casted or specified type is evaluated when:

• Initializing a System.Runtime.Serialization.DataContractSerializer object
• Initializing a System.Runtime.Serialization.Json.DataContractJsonSerializer object
• Initializing an System.Xml.Serialization.XmlSerializer object
• Invoking System.Web.Script.Serialization.JavaScriptSerializer.Deserialize
• Invoking System.Web.Script.Serialization.JavaScriptSerializer.DeserializeObject
• Invoking System.Xml.Serialization.XmlSerializer.FromTypes
• Invoking Newtonsoft Json.NET JsonSerializer.Deserialize
• Invoking Newtonsoft Json.NET JsonConvert.DeserializeObject

• If possible, use Entity Framework rather than System.Data.DataSet and System.Data.DataTable.
• Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.