== Why is this an issue? Because serialization constructors allocate and initialize objects, security checks that are present on regular constructors must also be present on a serialization constructor. Failure to do so would allow callers that could not otherwise create an instance to use the serialization constructor to do this. This rule raises an issue when a type implements the ``++System.Runtime.Serialization.ISerializable++`` interface, is not a delegate or interface, is declared in an assembly that allows partially trusted callers and has a constructor that takes a ``++System.Runtime.Serialization.SerializationInfo++`` object and a ``++System.Runtime.Serialization.StreamingContext++`` object which is not secured by a security check, but one or more of the regular constructors in the type is secured. === Noncompliant code example [source,csharp] ---- using System; using System.IO; using System.Runtime.Serialization; using System.Runtime.Serialization.Formatters.Binary; using System.Security; using System.Security.Permissions; [assembly: AllowPartiallyTrustedCallersAttribute()] namespace MyLibrary { [Serializable] public class Foo : ISerializable { private int n; [FileIOPermissionAttribute(SecurityAction.Demand, Unrestricted = true)] public Foo() { n = -1; } protected Foo(SerializationInfo info, StreamingContext context) // Noncompliant { n = (int)info.GetValue("n", typeof(int)); } void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context) { info.AddValue("n", n); } } } ---- === Compliant solution [source,csharp] ---- using System; using System.IO; using System.Runtime.Serialization; using System.Runtime.Serialization.Formatters.Binary; using System.Security; using System.Security.Permissions; [assembly: AllowPartiallyTrustedCallersAttribute()] namespace MyLibrary { [Serializable] public class Foo : ISerializable { private int n; [FileIOPermissionAttribute(SecurityAction.Demand, Unrestricted = true)] public Foo() { n = -1; } [FileIOPermissionAttribute(SecurityAction.Demand, Unrestricted = true)] protected Foo(SerializationInfo info, StreamingContext context) { n = (int)info.GetValue("n", typeof(int)); } void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context) { info.AddValue("n", n); } } } ---- == Resources * OWASP - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[Top 10 2021 Category A8 - Software and Data Integrity Failures] * OWASP - https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[Top 10 2017 Category A8 - Insecure Deserialization ] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) === Message Secure this serialization constructor. === Highlighting Primary: Serialization constructor declaration endif::env-github,rspecator-view[]