Rule Wars
All rules
CA5367Security Enabled by default: No

Do not serialize types with pointer fields

Do not serialize types with pointer fields

Microsoft docs

Description

This rule checks whether there’s a serializable class with a pointer field or property. Members that can’t be serialized can be a pointer, such as static members or fields marked with System.NonSerializedAttribute.

Cause

Pointers are not type safe, which means you cannot guarantee the correctness of the memory they point at. So, serializing types with pointer fields is a security risk, as it may allow an attacker to control the pointer.

How to fix violations

Don't use pointer types for members in a serializable class or don't serialize the members that are pointers.

Example

using System;

[Serializable()]
unsafe class TestClassA
{
    private int* pointer;
}

using System;

[Serializable()]
unsafe class TestClassA
{
    private int i;
}

using System;

[Serializable()]
unsafe class TestClassA
{
    private static int* pointer;
}

When to suppress

Don't take the risk to use pointers in serializable types.

Your vote
Join a group to vote
Group results
0 yes 0 no
ConsensusNone (disabled)
Severity preference (yes voters)
Suggestion0
Warning0
Error0