csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization
semgrep
Author
5,563
Download Count*
License
The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure
Run Locally
Run in CI
Defintion
rules:
- id: insecure-binaryformatter-deserialization
severity: WARNING
languages:
- C#
metadata:
cwe:
- "CWE-502: Deserialization of Untrusted Data"
owasp:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
references:
- https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide
category: security
technology:
- .net
confidence: HIGH
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- "Insecure Deserialization "
message: The BinaryFormatter type is dangerous and is not recommended for data
processing. Applications should stop using BinaryFormatter as soon as
possible, even if they believe the data they're processing to be
trustworthy. BinaryFormatter is insecure and can't be made secure
patterns:
- pattern-inside: |
using System.Runtime.Serialization.Formatters.Binary;
...
- pattern: |
new BinaryFormatter();
Examples
binary-formatter.cs
using System.Runtime.Serialization.Formatters.Binary;
namespace InsecureDeserialization
{
public class InsecureBinaryFormatterDeserialization
{
public void BinaryFormatterDeserialization(string json)
{
try
{
// ruleid: insecure-binaryformatter-deserialization
BinaryFormatter binaryFormatter = new BinaryFormatter();
MemoryStream memoryStream = new MemoryStream(Encoding.UTF8.GetBytes(json));
binaryFormatter.Deserialize(memoryStream);
memoryStream.Close();
}
catch (Exception e)
{
Console.WriteLine(e);
}
}
}
}
Short Link: https://sg.run/ZeXW