csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization

profile photo of returntocorpreturntocorp
Author
5,563
Download Count*

The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure

Run Locally

Run in CI

Defintion

rules:
  - id: insecure-binaryformatter-deserialization
    severity: WARNING
    languages:
      - C#
    metadata:
      cwe:
        - "CWE-502: Deserialization of Untrusted Data"
      owasp:
        - A08:2017 - Insecure Deserialization
        - A08:2021 - Software and Data Integrity Failures
      references:
        - https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide
      category: security
      technology:
        - .net
      confidence: HIGH
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: The BinaryFormatter type is dangerous and is not recommended for data
      processing. Applications should stop using BinaryFormatter as soon as
      possible, even if they believe the data they're processing to be
      trustworthy. BinaryFormatter is insecure and can't be made secure
    patterns:
      - pattern-inside: |
          using System.Runtime.Serialization.Formatters.Binary;
          ...
      - pattern: |
          new BinaryFormatter();

Examples

binary-formatter.cs

using System.Runtime.Serialization.Formatters.Binary;

namespace InsecureDeserialization
{
    public class InsecureBinaryFormatterDeserialization
    {
        public void BinaryFormatterDeserialization(string json)
        {
            try
            {
                // ruleid: insecure-binaryformatter-deserialization
                BinaryFormatter binaryFormatter = new BinaryFormatter();

                MemoryStream memoryStream = new MemoryStream(Encoding.UTF8.GetBytes(json));
                binaryFormatter.Deserialize(memoryStream);
                memoryStream.Close();
            }
            catch (Exception e)
            {
                Console.WriteLine(e);
            }
        }
    }
}