rspec/rules/S4212/csharp/rule.adoc

Because serialization constructors allocate and initialize objects, security checks that are present on regular constructors must also be present on a serialization constructor. Failure to do so would allow callers that could not otherwise create an instance to use the serialization constructor to do this.


This rule raises an issue when a type implements the ``++System.Runtime.Serialization.ISerializable++`` interface, is not a delegate or interface, is declared in an assembly that allows partially trusted callers and has a constructor that takes a ``++System.Runtime.Serialization.SerializationInfo++`` object and a ``++System.Runtime.Serialization.StreamingContext++`` object which is not secured by a security check, but one or more of the regular constructors in the type is secured.


== Noncompliant Code Example

[source,csharp]
----
using System;
using System.IO;
using System.Runtime.Serialization;
using System.Runtime.Serialization.Formatters.Binary;
using System.Security;
using System.Security.Permissions;

[assembly: AllowPartiallyTrustedCallersAttribute()]
namespace MyLibrary
{
    [Serializable]
    public class Foo : ISerializable
    {
        private int n;

        [FileIOPermissionAttribute(SecurityAction.Demand, Unrestricted = true)]
        public Foo()
        {
           n = -1;
        }

        protected Foo(SerializationInfo info, StreamingContext context) // Noncompliant
        {
           n = (int)info.GetValue("n", typeof(int));
        }

        void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context)
        {
           info.AddValue("n", n);
        }
    }
}
----


== Compliant Solution

[source,csharp]
----
using System;
using System.IO;
using System.Runtime.Serialization;
using System.Runtime.Serialization.Formatters.Binary;
using System.Security;
using System.Security.Permissions;

[assembly: AllowPartiallyTrustedCallersAttribute()]
namespace MyLibrary
{
    [Serializable]
    public class Foo : ISerializable
    {
        private int n;

        [FileIOPermissionAttribute(SecurityAction.Demand, Unrestricted = true)]
        public Foo()
        {
           n = -1;
        }

        [FileIOPermissionAttribute(SecurityAction.Demand, Unrestricted = true)]
        protected Foo(SerializationInfo info, StreamingContext context)
        {
           n = (int)info.GetValue("n", typeof(int));
        }

        void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context)
        {
           info.AddValue("n", n);
        }
    }
}
----


== See

* https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[OWASP Top 10 2021 Category A8] - Software and Data Integrity Failures
* https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[OWASP Top 10 2017 Category A8] - Insecure Deserialization 


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::message.adoc[]

include::highlighting.adoc[]

endif::env-github,rspecator-view[]
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`Because serialization constructors allocate and initialize objects, security checks that are present on regular constructors must also be present on a serialization constructor. Failure to do so would allow callers that could not otherwise create an instance to use the serialization constructor to do this.`


			This rule raises an issue when a type implements the ``++System.Runtime.Serialization.ISerializable++`` interface, is not a delegate or interface, is declared in an assembly that allows partially trusted callers and has a constructor that takes a ``++System.Runtime.Serialization.SerializationInfo++`` object and a ``++System.Runtime.Serialization.StreamingContext++`` object which is not secured by a security check, but one or more of the regular constructors in the type is secured.

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Noncompliant Code Example`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,csharp]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`using System;`
			`using System.IO;`
			`using System.Runtime.Serialization;`
			`using System.Runtime.Serialization.Formatters.Binary;`
			`using System.Security;`
			`using System.Security.Permissions;`

			`[assembly: AllowPartiallyTrustedCallersAttribute()]`
			`namespace MyLibrary`
			`{`
			`[Serializable]`
			`public class Foo : ISerializable`
			`{`
			`private int n;`

			`[FileIOPermissionAttribute(SecurityAction.Demand, Unrestricted = true)]`
			`public Foo()`
			`{`
			`n = -1;`
			`}`

			`protected Foo(SerializationInfo info, StreamingContext context) // Noncompliant`
			`{`
			`n = (int)info.GetValue("n", typeof(int));`
			`}`

			`void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context)`
			`{`
			`info.AddValue("n", n);`
			`}`
			`}`
			`}`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Compliant Solution`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,csharp]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`using System;`
			`using System.IO;`
			`using System.Runtime.Serialization;`
			`using System.Runtime.Serialization.Formatters.Binary;`
			`using System.Security;`
			`using System.Security.Permissions;`

			`[assembly: AllowPartiallyTrustedCallersAttribute()]`
			`namespace MyLibrary`
			`{`
			`[Serializable]`
			`public class Foo : ISerializable`
			`{`
			`private int n;`

			`[FileIOPermissionAttribute(SecurityAction.Demand, Unrestricted = true)]`
			`public Foo()`
			`{`
			`n = -1;`
			`}`

			`[FileIOPermissionAttribute(SecurityAction.Demand, Unrestricted = true)]`
			`protected Foo(SerializationInfo info, StreamingContext context)`
			`{`
			`n = (int)info.GetValue("n", typeof(int));`
			`}`

			`void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context)`
			`{`
			`info.AddValue("n", n);`
			`}`
			`}`
			`}`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== See`

RULEAPI-709: Security rules are mapped to the OWASP Top 10 2021 security-standard (#545) 2021-11-01 15:00:32 +01:00			`* https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[OWASP Top 10 2021 Category A8] - Software and Data Integrity Failures`
Modify: Fix old/broken embedded links (#1100) 2022-07-08 13:58:56 +02:00			`* https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[OWASP Top 10 2017 Category A8] - Insecure Deserialization`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00

RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::message.adoc[]`

			`include::highlighting.adoc[]`

			`endif::env-github,rspecator-view[]`