csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*

Only use DataContractResolver if you are completely sure of what information is being serialized. Malicious types can cause unexpected behavior.

Run Locally

Run in CI

Defintion

rules:
  - id: data-contract-resolver
    severity: WARNING
    languages:
      - C#
    metadata:
      cwe:
        - "CWE-502: Deserialization of Untrusted Data"
      owasp:
        - A08:2017 - Insecure Deserialization
        - A08:2021 - Software and Data Integrity Failures
      references:
        - https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide
      category: security
      technology:
        - .net
      confidence: LOW
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: Only use DataContractResolver if you are completely sure of what
      information is being serialized. Malicious types can cause unexpected
      behavior.
    patterns:
      - pattern: |
          class $MYDCR : DataContractResolver { ... }

Examples

data-contract-resolver.cs

namespace DCR
{
    // ruleid: data-contract-resolver
    class MyDCR : DataContractResolver
    {
        public void ResolveDataContract()
        {
            
        }
    }
}