gitlab.security_code_scan.SCS0028-1
unknown
Download Count*
License
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
Run Locally
Run in CI
Defintion
rules:
- id: security_code_scan.SCS0028-1
patterns:
- pattern-not: $OBJ.Deserialize("...")
- pattern-not: $OBJ.UnsafeDeserialize("...")
- pattern-not: $OBJ.UnsafeDeserializeMethodResponse("...")
- pattern-not: $OBJ.ReadObject("...")
- pattern-not: $OBJ.DeserializeFromString("...")
- pattern-not: $OBJ.DeserializeFromReader("...")
- pattern-not: $OBJ.DeserializeFromStream("...")
- pattern-not: $OBJ.DeserializeRequest("...")
- pattern-not: $OBJ.ToObject("...")
- pattern-not: $OBJ.DeserializeResponse("...")
- pattern-not: new System.Runtime.Serialization.DataContractSerializer("...")
- pattern-not: new System.Runtime.Serialization.Json.DataContractJsonSerializer("...")
- pattern-not: new System.Xml.Serialization.XmlSerializer("...")
- pattern-not: new System.Resources.ResourceReader("...")
- pattern-not: (System.Messaging.XmlMessageFormatter $E).Read("...")
- pattern-not: (System.Messaging.BinaryMessageFormatter $E).Read("...")
- pattern-either:
- pattern: $OBJ.Deserialize(...)
- pattern: $OBJ.UnsafeDeserialize(...)
- pattern: $OBJ.UnsafeDeserializeMethodResponse(...)
- pattern: $OBJ.ReadObject(...)
- pattern: $OBJ.DeserializeFromString(...)
- pattern: $OBJ.DeserializeFromReader(...)
- pattern: $OBJ.DeserializeFromStream(...)
- pattern: $OBJ.DeserializeRequest(...)
- pattern: $OBJ.ToObject(...)
- pattern: $OBJ.DeserializeResponse(...)
- pattern: new System.Runtime.Serialization.DataContractSerializer(...)
- pattern: new System.Runtime.Serialization.Json.DataContractJsonSerializer(...)
- pattern: new System.Xml.Serialization.XmlSerializer(...)
- pattern: new System.Resources.ResourceReader(...)
- pattern: (System.Messaging.XmlMessageFormatter $E).Read(...)
- pattern: (System.Messaging.BinaryMessageFormatter $E).Read(...)
languages:
- csharp
message: >
The application deserializes untrusted data without sufficiently verifying
that
the resulting data will be valid.
metadata:
category: security
cwe: "CWE-502: Deserialization of Untrusted Data"
license: MIT
severity: WARNING
Short Link: https://sg.run/BqeA