Rule Wars
All rules
CA5360Security Enabled by default: No

Do not call dangerous methods in deserialization

Do not call dangerous methods in deserialization

Microsoft docs

Description

Insecure deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a Denial-of-Service (DoS) attack, or even execute arbitrary code upon it being deserialized. It's frequently possible for malicious users to abuse these deserialization features when the application is deserializing untrusted data which is under their control. Specifically, invoke dangerous methods in the process of deserialization. Successful insecure deserialization attacks could allow an attacker to carry out attacks such as DoS attacks, authentication bypasses, and remote code execution.

Cause

Calling one of the following dangerous methods in deserialization:

  • System.IO.Directory.Delete
  • System.IO.DirectoryInfo.Delete
  • System.IO.File.AppendAllLines
  • System.IO.File.AppendAllText
  • System.IO.File.AppendText
  • System.IO.File.Copy
  • System.IO.File.Delete
  • System.IO.File.WriteAllBytes
  • System.IO.File.WriteAllLines
  • System.IO.File.WriteAllText
  • System.IO.FileInfo.Delete
  • System.IO.Log.LogStore.Delete
  • System.Reflection.Assembly.GetLoadedModules
  • System.Reflection.Assembly.Load
  • System.Reflection.Assembly.LoadFrom
  • System.Reflection.Assembly.LoadFile
  • System.Reflection.Assembly.LoadModule
  • System.Reflection.Assembly.LoadWithPartialName
  • System.Reflection.Assembly.ReflectionOnlyLoad
  • System.Reflection.Assembly.ReflectionOnlyLoadFrom
  • System.Reflection.Assembly.UnsafeLoadFrom

All methods meets one of the following requirements could be the callback of deserialization:

  • Marked with System.Runtime.Serialization.OnDeserializingAttribute.
  • Marked with System.Runtime.Serialization.OnDeserializedAttribute.
  • Implementing System.Runtime.Serialization.IDeserializationCallback.OnDeserialization.
  • Implementing System.IDisposable.Dispose.
  • Is a destructor.

How to fix violations

Remove these dangerous methods from automatically run deserialization callbacks. Call dangerous methods only after validating the input.

Example

using System;
using System.IO;
using System.Runtime.Serialization;

[Serializable()]
public class ExampleClass : IDeserializationCallback
{
    private string member;

    void IDeserializationCallback.OnDeserialization(Object sender)
    {
        var sourceFileName = "malicious file";
        var destFileName = "sensitive file";
        File.Copy(sourceFileName, destFileName);
    }
}

using System;
using System.IO;
using System.Runtime.Serialization;

[Serializable()]
public class ExampleClass : IDeserializationCallback
{
    private string member;

    void IDeserializationCallback.OnDeserialization(Object sender)
    {
        var sourceFileName = "malicious file";
        var destFileName = "sensitive file";
        // Remove the potential dangerous operation.
        // File.Copy(sourceFileName, destFileName);
    }
}

When to suppress

It's safe to suppress this rule if:

  • You know the input is trusted. Consider that your application's trust boundary and data flows may change over time.
  • The serialized data is tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
  • The data is validated as safe to the application.
Your vote
Join a group to vote
Group results
0 yes 0 no
ConsensusNone (disabled)
Severity preference (yes voters)
Suggestion0
Warning0
Error0