16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
111 lines
3.1 KiB
Plaintext
111 lines
3.1 KiB
Plaintext
== Why is this an issue?
|
|
|
|
Because serialization constructors allocate and initialize objects, security checks that are present on regular constructors must also be present on a serialization constructor. Failure to do so would allow callers that could not otherwise create an instance to use the serialization constructor to do this.
|
|
|
|
|
|
This rule raises an issue when a type implements the ``++System.Runtime.Serialization.ISerializable++`` interface, is not a delegate or interface, is declared in an assembly that allows partially trusted callers and has a constructor that takes a ``++System.Runtime.Serialization.SerializationInfo++`` object and a ``++System.Runtime.Serialization.StreamingContext++`` object which is not secured by a security check, but one or more of the regular constructors in the type is secured.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,csharp]
|
|
----
|
|
using System;
|
|
using System.IO;
|
|
using System.Runtime.Serialization;
|
|
using System.Runtime.Serialization.Formatters.Binary;
|
|
using System.Security;
|
|
using System.Security.Permissions;
|
|
|
|
[assembly: AllowPartiallyTrustedCallersAttribute()]
|
|
namespace MyLibrary
|
|
{
|
|
[Serializable]
|
|
public class Foo : ISerializable
|
|
{
|
|
private int n;
|
|
|
|
[FileIOPermissionAttribute(SecurityAction.Demand, Unrestricted = true)]
|
|
public Foo()
|
|
{
|
|
n = -1;
|
|
}
|
|
|
|
protected Foo(SerializationInfo info, StreamingContext context) // Noncompliant
|
|
{
|
|
n = (int)info.GetValue("n", typeof(int));
|
|
}
|
|
|
|
void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context)
|
|
{
|
|
info.AddValue("n", n);
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
[source,csharp]
|
|
----
|
|
using System;
|
|
using System.IO;
|
|
using System.Runtime.Serialization;
|
|
using System.Runtime.Serialization.Formatters.Binary;
|
|
using System.Security;
|
|
using System.Security.Permissions;
|
|
|
|
[assembly: AllowPartiallyTrustedCallersAttribute()]
|
|
namespace MyLibrary
|
|
{
|
|
[Serializable]
|
|
public class Foo : ISerializable
|
|
{
|
|
private int n;
|
|
|
|
[FileIOPermissionAttribute(SecurityAction.Demand, Unrestricted = true)]
|
|
public Foo()
|
|
{
|
|
n = -1;
|
|
}
|
|
|
|
[FileIOPermissionAttribute(SecurityAction.Demand, Unrestricted = true)]
|
|
protected Foo(SerializationInfo info, StreamingContext context)
|
|
{
|
|
n = (int)info.GetValue("n", typeof(int));
|
|
}
|
|
|
|
void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context)
|
|
{
|
|
info.AddValue("n", n);
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
|
|
== Resources
|
|
|
|
* https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[OWASP Top 10 2021 Category A8] - Software and Data Integrity Failures
|
|
* https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[OWASP Top 10 2017 Category A8] - Insecure Deserialization
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Secure this serialization constructor.
|
|
|
|
|
|
=== Highlighting
|
|
|
|
Primary: Serialization constructor declaration
|
|
|
|
|
|
endif::env-github,rspecator-view[]
|