csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver
semgrepAuthor
unknown
Download Count*
License
Only use DataContractResolver if you are completely sure of what information is being serialized. Malicious types can cause unexpected behavior.
Run Locally
Run in CI
Defintion
rules:
- id: data-contract-resolver
severity: WARNING
languages:
- C#
metadata:
cwe:
- "CWE-502: Deserialization of Untrusted Data"
owasp:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
references:
- https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide
category: security
technology:
- .net
confidence: LOW
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- "Insecure Deserialization "
message: Only use DataContractResolver if you are completely sure of what
information is being serialized. Malicious types can cause unexpected
behavior.
patterns:
- pattern: |
class $MYDCR : DataContractResolver { ... }
Examples
data-contract-resolver.cs
namespace DCR
{
// ruleid: data-contract-resolver
class MyDCR : DataContractResolver
{
public void ResolveDataContract()
{
}
}
}
Short Link: https://sg.run/yXjP