94 lines
4.0 KiB
Plaintext
94 lines
4.0 KiB
Plaintext
include::../why-dotnet.adoc[]
|
|
|
|
=== Noncompliant code example
|
|
|
|
For https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.binary.binaryformatter?view=netframework-4.8[BinaryFormatter], https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8[NetDataContractSerializer], https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8[SoapFormatter] serializers:
|
|
|
|
[source,vbnet]
|
|
----
|
|
Dim myBinaryFormatter = New BinaryFormatter()
|
|
myBinaryFormatter.Deserialize(stream) ' Noncompliant: a binder is not used to limit types during deserialization
|
|
----
|
|
|
|
https://docs.microsoft.com/en-us/dotnet/api/system.web.script.serialization.javascriptserializer?view=netframework-4.8[JavaScriptSerializer] should not use SimpleTypeResolver or other weak resolvers:
|
|
|
|
[source,vbnet]
|
|
----
|
|
Dim serializer1 As JavaScriptSerializer = New JavaScriptSerializer(New SimpleTypeResolver()) ' Noncompliant: SimpleTypeResolver is unsecure (every types is resolved)
|
|
serializer1.Deserialize(Of ExpectedType)(json)
|
|
----
|
|
|
|
https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8[LosFormatter] should not be used without MAC verification:
|
|
|
|
[source,vbnet]
|
|
----
|
|
Dim formatter As LosFormatter = New LosFormatter() ' Noncompliant
|
|
formatter.Deserialize(fs)
|
|
----
|
|
|
|
=== Compliant solution
|
|
|
|
https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.binary.binaryformatter?view=netframework-4.8[BinaryFormatter], https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8[NetDataContractSerializer ], https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.soap.soapformatter?view=netframework-4.8[SoapFormatter] serializers should use a binder implementing a whitelist approach to limit types during deserialization (at least one exception should be thrown or a null value returned):
|
|
|
|
[source,vbnet]
|
|
----
|
|
NotInheritable Class CustomBinder
|
|
Inherits SerializationBinder
|
|
Public Overrides Function BindToType(assemblyName As String, typeName As String) As Type
|
|
If Not (Equals(typeName, "type1") OrElse Equals(typeName, "type2") OrElse Equals(typeName, "type3")) Then
|
|
Throw New SerializationException("Only type1, type2 and type3 are allowed") ' Compliant
|
|
End If
|
|
Return Assembly.Load(assemblyName).[GetType](typeName)
|
|
End Function
|
|
End Class
|
|
|
|
Dim myBinaryFormatter = New BinaryFormatter()
|
|
myBinaryFormatter.Binder = New CustomBinder()
|
|
myBinaryFormatter.Deserialize(stream)
|
|
----
|
|
|
|
https://docs.microsoft.com/en-us/dotnet/api/system.web.script.serialization.javascriptserializer?view=netframework-4.8[JavaScriptSerializer] should use a resolver implementing a whitelist to limit types during deserialization (at least one exception should be thrown or a null value returned):
|
|
|
|
[source,vbnet]
|
|
----
|
|
Public Class CustomSafeTypeResolver
|
|
Inherits JavaScriptTypeResolver
|
|
Public Overrides Function ResolveType(id As String) As Type
|
|
If Not Equals(id, "ExpectedType") Then
|
|
Throw New ArgumentNullException("Only ExpectedType is allowed during deserialization") ' Compliant
|
|
End If
|
|
Return Type.[GetType](id)
|
|
End Function
|
|
End Class
|
|
|
|
Dim serializer As JavaScriptSerializer = New JavaScriptSerializer(New CustomSafeTypeResolver()) ' Compliant
|
|
serializer.Deserialize(Of ExpectedType)(json)
|
|
----
|
|
https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8[LosFormatter] serializer with MAC verification:
|
|
|
|
[source,vbnet]
|
|
----
|
|
Dim formatter As LosFormatter = New LosFormatter(True, secret) ' Compliant
|
|
formatter.Deserialize(fs)
|
|
----
|
|
|
|
include::../resources.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
include::../highlighting.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|