csharp.lang.security.insecure-deserialization.soap-formatter.insecure-soapformatter-deserialization
semgrep
Author
5,563
Download Count*
License
The SoapFormatter type is dangerous and is not recommended for data processing. Applications should stop using SoapFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. SoapFormatter is insecure and can't be made secure
Run Locally
Run in CI
Defintion
rules:
- id: insecure-soapformatter-deserialization
severity: WARNING
languages:
- C#
metadata:
cwe:
- "CWE-502: Deserialization of Untrusted Data"
owasp:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
references:
- https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8#remarks
category: security
technology:
- .net
confidence: MEDIUM
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: LOW
impact: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- "Insecure Deserialization "
message: The SoapFormatter type is dangerous and is not recommended for data
processing. Applications should stop using SoapFormatter as soon as
possible, even if they believe the data they're processing to be
trustworthy. SoapFormatter is insecure and can't be made secure
patterns:
- pattern-inside: |
using System.Runtime.Serialization.Formatters.Soap;
...
- pattern: |
new SoapFormatter();
Examples
soap-formatter.cs
using System.Runtime.Serialization.Formatters.Soap;
namespace InsecureDeserialization
{
public class InsecureSoapFormatterDeserialization
{
public void SoapFormatterDeserialization(string json)
{
try
{
MemoryStream ms = new MemoryStream(Encoding.UTF8.GetBytes(json));
// ruleid: insecure-soapformatter-deserialization
SoapFormatter soapFormatter = new SoapFormatter();
object obj = soapFormatter.Deserialize(ms);
}
catch (Exception e)
{
Console.WriteLine(e);
}
}
}
}
Short Link: https://sg.run/gJnR