include::../why-dotnet.adoc[] === Noncompliant code example For https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.binary.binaryformatter?view=netframework-4.8[BinaryFormatter], https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8[NetDataContractSerializer], https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8[SoapFormatter] serializers: [source,csharp] ---- var myBinaryFormatter = new BinaryFormatter(); myBinaryFormatter.Deserialize(stream); // Noncompliant: a binder is not used to limit types during deserialization ---- https://docs.microsoft.com/en-us/dotnet/api/system.web.script.serialization.javascriptserializer?view=netframework-4.8[JavaScriptSerializer] should not use SimpleTypeResolver or other weak resolvers: [source,csharp] ---- JavaScriptSerializer serializer1 = new JavaScriptSerializer(new SimpleTypeResolver()); // Noncompliant: SimpleTypeResolver is unsecure (every types is resolved) serializer1.Deserialize(json); ---- https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8[LosFormatter] should not be used without MAC verification: [source,csharp] ---- LosFormatter formatter = new LosFormatter(); // Noncompliant formatter.Deserialize(fs); ---- === Compliant solution https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.binary.binaryformatter?view=netframework-4.8[BinaryFormatter], https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8[NetDataContractSerializer ], https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8[SoapFormatter] serializers should use a binder implementing a whitelist approach to limit types during deserialization (at least one exception should be thrown or a null value returned): [source,csharp] ---- sealed class CustomBinder : SerializationBinder { public override Type BindToType(string assemblyName, string typeName) { if (!(typeName == "type1" || typeName == "type2" || typeName == "type3")) { throw new SerializationException("Only type1, type2 and type3 are allowed"); // Compliant } return Assembly.Load(assemblyName).GetType(typeName); } } var myBinaryFormatter = new BinaryFormatter(); myBinaryFormatter.Binder = new CustomBinder(); myBinaryFormatter.Deserialize(stream); ---- https://docs.microsoft.com/en-us/dotnet/api/system.web.script.serialization.javascriptserializer?view=netframework-4.8[JavaScriptSerializer] should use a resolver implementing a whitelist to limit types during deserialization (at least one exception should be thrown or a null value returned): [source,csharp] ---- public class CustomSafeTypeResolver : JavaScriptTypeResolver { public override Type ResolveType(string id) { if(id != "ExpectedType") { throw new ArgumentNullException("Only ExpectedType is allowed during deserialization"); // Compliant } return Type.GetType(id); } } JavaScriptSerializer serializer = new JavaScriptSerializer(new CustomSafeTypeResolver()); // Compliant serializer.Deserialize(json); ---- https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8[LosFormatter] serializer with MAC verification: [source,csharp] ---- LosFormatter formatter = new LosFormatter(true, secret); // Compliant formatter.Deserialize(fs); ---- include::../resources.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::../message.adoc[] include::../highlighting.adoc[] ''' == Comments And Links (visible only on this page) include::../comments-and-links.adoc[] endif::env-github,rspecator-view[]