rspec/rules/S5773/vbnet/how-to-fix/formatters.adoc

=== Code examples

:BinaryFormatter: https://learn.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.binary.binaryformatter

:NetDataContractSerializer: https://learn.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer

:SoapFormatter: https://learn.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter

:JavaScriptSerializer: https://learn.microsoft.com/en-us/dotnet/api/system.web.script.serialization.javascriptserializer

==== Noncompliant code example

With {BinaryFormatter}[``BinaryFormatter``], {NetDataContractSerializer}[``NetDataContractSerializer``] or {SoapFormatter}[``SoapFormatter``]:

[source,vbnet,diff-id=201,diff-type=noncompliant]
----
Dim myBinaryFormatter = New BinaryFormatter()
myBinaryFormatter.Deserialize(stream) ' Noncompliant
----

With {JavaScriptSerializer}[``JavaScriptSerializer``]:

[source,vbnet,diff-id=202,diff-type=noncompliant]
----
Dim serializer1 As JavaScriptSerializer = New JavaScriptSerializer(New SimpleTypeResolver()) ' Noncompliant: SimpleTypeResolver is insecure (every type is resolved)
serializer1.Deserialize(Of ExpectedType)(json)
----

==== Compliant solution

With {BinaryFormatter}[``BinaryFormatter``], {NetDataContractSerializer}[``NetDataContractSerializer``] or {SoapFormatter}[``SoapFormatter``]:

[source,vbnet,diff-id=201,diff-type=compliant]
----
NotInheritable Class CustomBinder
    Inherits SerializationBinder
    Public Overrides Function BindToType(assemblyName As String, typeName As String) As Type
        If Not (Equals(typeName, "type1") OrElse Equals(typeName, "type2") OrElse Equals(typeName, "type3")) Then
            Throw New SerializationException("Only type1, type2 and type3 are allowed")
        End If
        Return Assembly.Load(assemblyName).[GetType](typeName)
    End Function
End Class

Dim myBinaryFormatter = New BinaryFormatter()
myBinaryFormatter.Binder = New CustomBinder()
myBinaryFormatter.Deserialize(stream)
----

With {JavaScriptSerializer}[``JavaScriptSerializer``]:

[source,vbnet,diff-id=202,diff-type=compliant]
----
Public Class CustomSafeTypeResolver
    Inherits JavaScriptTypeResolver
    Public Overrides Function ResolveType(id As String) As Type
        If Not Equals(id, "ExpectedType") Then
            Throw New ArgumentNullException("Only ExpectedType is allowed during deserialization")
        End If
        Return Type.[GetType](id)
    End Function
End Class

Dim serializer As JavaScriptSerializer = New JavaScriptSerializer(New CustomSafeTypeResolver())
serializer.Deserialize(Of ExpectedType)(json)
----

=== Going the extra mile

include::../../common/extra-mile/formatters.adoc[]
Modify rule S5773: Change text to education framework format (APPSEC-1112) (#3166) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-09-29 15:43:53 +02:00			`=== Code examples`

			`:BinaryFormatter: https://learn.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.binary.binaryformatter`

			`:NetDataContractSerializer: https://learn.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer`

			`:SoapFormatter: https://learn.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter`

			`:JavaScriptSerializer: https://learn.microsoft.com/en-us/dotnet/api/system.web.script.serialization.javascriptserializer`

			`==== Noncompliant code example`

			With {BinaryFormatter}[``BinaryFormatter``], {NetDataContractSerializer}[``NetDataContractSerializer``] or {SoapFormatter}[``SoapFormatter``]:

			`[source,vbnet,diff-id=201,diff-type=noncompliant]`
			`----`
			`Dim myBinaryFormatter = New BinaryFormatter()`
			`myBinaryFormatter.Deserialize(stream) ' Noncompliant`
			`----`

			With {JavaScriptSerializer}[``JavaScriptSerializer``]:

			`[source,vbnet,diff-id=202,diff-type=noncompliant]`
			`----`
			`Dim serializer1 As JavaScriptSerializer = New JavaScriptSerializer(New SimpleTypeResolver()) ' Noncompliant: SimpleTypeResolver is insecure (every type is resolved)`
			`serializer1.Deserialize(Of ExpectedType)(json)`
			`----`

			`==== Compliant solution`

			With {BinaryFormatter}[``BinaryFormatter``], {NetDataContractSerializer}[``NetDataContractSerializer``] or {SoapFormatter}[``SoapFormatter``]:

			`[source,vbnet,diff-id=201,diff-type=compliant]`
			`----`
			`NotInheritable Class CustomBinder`
			`Inherits SerializationBinder`
			`Public Overrides Function BindToType(assemblyName As String, typeName As String) As Type`
			`If Not (Equals(typeName, "type1") OrElse Equals(typeName, "type2") OrElse Equals(typeName, "type3")) Then`
			`Throw New SerializationException("Only type1, type2 and type3 are allowed")`
			`End If`
			`Return Assembly.Load(assemblyName).[GetType](typeName)`
			`End Function`
			`End Class`

			`Dim myBinaryFormatter = New BinaryFormatter()`
			`myBinaryFormatter.Binder = New CustomBinder()`
			`myBinaryFormatter.Deserialize(stream)`
			`----`

			With {JavaScriptSerializer}[``JavaScriptSerializer``]:

			`[source,vbnet,diff-id=202,diff-type=compliant]`
			`----`
			`Public Class CustomSafeTypeResolver`
			`Inherits JavaScriptTypeResolver`
			`Public Overrides Function ResolveType(id As String) As Type`
			`If Not Equals(id, "ExpectedType") Then`
			`Throw New ArgumentNullException("Only ExpectedType is allowed during deserialization")`
			`End If`
			`Return Type.[GetType](id)`
			`End Function`
			`End Class`

			`Dim serializer As JavaScriptSerializer = New JavaScriptSerializer(New CustomSafeTypeResolver())`
			`serializer.Deserialize(Of ExpectedType)(json)`
			`----`

			`=== Going the extra mile`

			`include::../../common/extra-mile/formatters.adoc[]`