csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization
semgrep
Author
5,563
Download Count*
License
The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they're processing to be trustworthy. NetDataContractSerializer is insecure and can't be made secure
Run Locally
Run in CI
Defintion
rules:
- id: insecure-netdatacontract-deserialization
severity: WARNING
languages:
- C#
metadata:
cwe:
- "CWE-502: Deserialization of Untrusted Data"
owasp:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
references:
- https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8#security
category: security
technology:
- .net
confidence: MEDIUM
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: LOW
impact: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- "Insecure Deserialization "
message: The NetDataContractSerializer type is dangerous and is not recommended
for data processing. Applications should stop using
NetDataContractSerializer as soon as possible, even if they believe the
data they're processing to be trustworthy. NetDataContractSerializer is
insecure and can't be made secure
patterns:
- pattern-inside: |
using System.Runtime.Serialization;
...
- pattern: |
new NetDataContractSerializer();
Examples
net-data-contract.cs
using System.Runtime.Serialization;
namespace InsecureDeserialization
{
public class InsecureNetDataContractDeserialization
{
public void NetDataContractDeserialization(string json)
{
try
{
MemoryStream ms = new MemoryStream(Encoding.UTF8.GetBytes(json));
// ruleid: insecure-netdatacontract-deserialization
NetDataContractSerializer netDataContractSerializer = new NetDataContractSerializer();
object obj = netDataContractSerializer.Deserialize(ms);
Console.WriteLine(obj);
}
catch (Exception e)
{
Console.WriteLine(e);
}
}
}
}
Short Link: https://sg.run/L0AX