:link-with-uscores1: https://docs.microsoft.com/en-us/dotnet/api/system.codedom.compiler.tempfilecollection.-ctor?view=netframework-4.8#System_CodeDom_Compiler_TempFileCollection__ctor During the deserialization process, the state of an object will be reconstructed from the serialized data stream which can contain dangerous operations. For example, a well-known attack vector consists in serializing an object of type ``{link-with-uscores1}[TempFileCollection]`` with arbitrary files (defined by an attacker) which will be deleted on the application deserializing this object (when the https://docs.microsoft.com/en-us/dotnet/api/system.codedom.compiler.tempfilecollection.finalize?view=netframework-4.8[finalize() ]method of the TempFileCollection object is called). This kind of types are called "https://github.com/pwntester/ysoserial.net[gadgets]". Instead of using ``++BinaryFormatter++`` and similar serializers, it is recommended to use safer alternatives in most of the cases, such as https://docs.microsoft.com/en-us/dotnet/api/system.xml.serialization.xmlserializer?view=net-5.0[XmlSerializer] or https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.datacontractserializer?view=net-5.0[DataContractSerializer]. If it's not possible then try to mitigate the risk by restricting the types allowed to be deserialized: * by implementing an "allow-list" of types, but keep in mind that novel dangerous types are regularly discovered and this protection could be insufficient over time. * or/and implementing a tamper protection, such as https://en.wikipedia.org/wiki/HMAC[message authentication codes] (MAC). This way only objects serialized with the correct MAC hash will be deserialized. == Noncompliant Code Example For https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.binary.binaryformatter?view=netframework-4.8[BinaryFormatter], https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8[NetDataContractSerializer], https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8[SoapFormatter] serializers: ---- var myBinaryFormatter = new BinaryFormatter(); myBinaryFormatter.Deserialize(stream); // Noncompliant: a binder is not used to limit types during deserialization ---- https://docs.microsoft.com/en-us/dotnet/api/system.web.script.serialization.javascriptserializer?view=netframework-4.8[JavaScriptSerializer] should not use SimpleTypeResolver or other weak resolvers: ---- JavaScriptSerializer serializer1 = new JavaScriptSerializer(new SimpleTypeResolver()); // Noncompliant: SimpleTypeResolver is unsecure (every types is resolved) serializer1.Deserialize(json); ---- https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8[LosFormatter] should not be used without MAC verification: ---- LosFormatter formatter = new LosFormatter(); // Noncompliant formatter.Deserialize(fs); ---- == Compliant Solution https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.binary.binaryformatter?view=netframework-4.8[BinaryFormatter], https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8[NetDataContractSerializer ], https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8[SoapFormatter] serializers should use a binder implementing a whitelist approach to limit types during deserialization (at least one exception should be thrown or a null value returned): ---- sealed class CustomBinder : SerializationBinder { public override Type BindToType(string assemblyName, string typeName) { if (!(typeName == "type1" || typeName == "type2" || typeName == "type3")) { throw new SerializationException("Only type1, type2 and type3 are allowed"); // Compliant } return Assembly.Load(assemblyName).GetType(typeName); } } var myBinaryFormatter = new BinaryFormatter(); myBinaryFormatter.Binder = new CustomBinder(); myBinaryFormatter.Deserialize(stream); ---- https://docs.microsoft.com/en-us/dotnet/api/system.web.script.serialization.javascriptserializer?view=netframework-4.8[JavaScriptSerializer] should use a resolver implementing a whitelist to limit types during deserialization (at least one exception should be thrown or a null value returned): ---- public class CustomSafeTypeResolver : JavaScriptTypeResolver { public override Type ResolveType(string id) { if(id != "ExpectedType") { throw new ArgumentNullException("Only ExpectedType is allowed during deserialization"); // Compliant } return Type.GetType(id); } } JavaScriptSerializer serializer = new JavaScriptSerializer(new CustomSafeTypeResolver()); // Compliant serializer.Deserialize(json); ---- https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8[LosFormatter] serializer with MAC verification: ---- LosFormatter formatter = new LosFormatter(true, secret); // Compliant formatter.Deserialize(fs); ---- == See * https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide?s=03[docs.microsoft.com] - BinaryFormatter security guide * https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization[OWASP Top 10 2017 Category A8] - Insecure Deserialization * https://cwe.mitre.org/data/definitions/134.html[MITRE, CWE-134] - Use of Externally-Controlled Format String * https://cwe.mitre.org/data/definitions/502.html[MITRE, CWE-502] - Deserialization of Untrusted Data * https://www.sans.org/top25-software-errors/#cat2[SANS Top 25] - Risky Resource Management * https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Deserialization_Cheat_Sheet.md[OWASP Deserialization Cheat Sheet] ifdef::env-github,rspecator-view[] ''' == Comments And Links (visible only on this page) include::../comments-and-links.adoc[] endif::env-github,rspecator-view[]