csharp.lang.security.insecure-deserialization.net-data-contract.insecure-netdatacontract-deserialization

profile photo of semgrepsemgrep
Author
5,563
Download Count*
LGPL Commons Clause
License

The NetDataContractSerializer type is dangerous and is not recommended for data processing. Applications should stop using NetDataContractSerializer as soon as possible, even if they believe the data they're processing to be trustworthy. NetDataContractSerializer is insecure and can't be made secure

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: insecure-netdatacontract-deserialization
    severity: WARNING
    languages:
      - C#
    metadata:
      cwe:
        - "CWE-502: Deserialization of Untrusted Data"
      owasp:
        - A08:2017 - Insecure Deserialization
        - A08:2021 - Software and Data Integrity Failures
      references:
        - https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8#security
      category: security
      technology:
        - .net
      confidence: MEDIUM
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: LOW
      impact: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - "Insecure Deserialization "
    message: The NetDataContractSerializer type is dangerous and is not recommended
      for data processing. Applications should stop using
      NetDataContractSerializer as soon as possible, even if they believe the
      data they're processing to be trustworthy. NetDataContractSerializer is
      insecure and can't be made secure
    patterns:
      - pattern-inside: |
          using System.Runtime.Serialization;
          ...
      - pattern: |
          new NetDataContractSerializer();

Examples

net-data-contract.cs

using System.Runtime.Serialization;

namespace InsecureDeserialization
{
    public class InsecureNetDataContractDeserialization
    {
        public void NetDataContractDeserialization(string json)
        {
            try
            {
                MemoryStream ms = new MemoryStream(Encoding.UTF8.GetBytes(json));

                // ruleid: insecure-netdatacontract-deserialization
                NetDataContractSerializer netDataContractSerializer = new NetDataContractSerializer();
                object obj = netDataContractSerializer.Deserialize(ms);
                Console.WriteLine(obj);
            }
            catch (Exception e)
            {
                Console.WriteLine(e);
            }
        }
    }
}