CA2356Security Enabled by default: No

Unsafe DataSet or DataTable type in web deserialized object graph

Description

When deserializing untrusted input and the deserialized object graph contains a System.Data.DataSet or System.Data.DataTable, an attacker can craft a malicious payload to perform a denial of service attack. There may be unknown remote code execution vulnerabilities.

For more information, see DataSet and DataTable security guidance.

Cause

A method with a System.Web.Services.WebMethodAttribute or System.ServiceModel.OperationContractAttribute has a parameter that may reference a System.Data.DataSet or System.Data.DataTable.

This rule uses a different approach to a similar rule, CA2355: Unsafe DataSet or DataTable in deserialized object graph and will find different warnings.

How to fix violations

If possible, use Entity Framework rather than System.Data.DataSet and System.Data.DataTable.
Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.

Example

using System;
using System.Data;
using System.Web.Services;

[WebService(Namespace = "http://contoso.example.com/")]
public class MyService : WebService
{
    [WebMethod]
    public string MyWebMethod(DataTable dataTable)
    {
        return null;
    }
}

Your vote

Join a group to vote

Group results

0 yes 0 no

ConsensusNone (disabled)

Severity preference (yes voters)

Suggestion0

Warning0

Error0