rspec/rules/S5135/csharp/rule.adoc

include::../description.adoc[]

== Noncompliant Code Example

For https://docs.microsoft.com/en-us/dotnet/api/system.xml.serialization.xmlserializer?view=netframework-4.8[XmlSerializer ] serializer, the expected type should not come from user-controlled input:

----
public class XmlSerializerTestCase : Controller
{
   public ActionResult unsecuredeserialization(string typeName)
  {
     // ....
     ExpectedType obj = null;
     Type t = Type.GetType(typeName); // typeName is user-controlled
     XmlSerializer serializer = new XmlSerializer(t); // Noncompliant
     obj = (ExpectedType) serializer.Deserialize(fs);
     // ....
   }
}
----

== Compliant Solution

For https://docs.microsoft.com/en-us/dotnet/api/system.xml.serialization.xmlserializer?view=netframework-4.8[XmlSerializer ] serializer:

----
public class XmlSerializerTestCase : Controller
{
   public ActionResult securedeserialization()
  {
     // ....
     ExpectedType obj = null;
     XmlSerializer serializer = new XmlSerializer(typeof(ExpectedType)); // Compliant
     obj = (ExpectedType) serializer.Deserialize(fs);
     // ....
   }
}
----

== See

* https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf[Are You My Type?] - James Forshaw - BlackHat 2012
* https://www.youtube.com/watch?v=oxlD8VWWHE8[BlueHat v17 - Dangerous Contents - Securing .Net Deserialization]
* https://www.youtube.com/watch?v=qDoBlLwREYk0[Alvaro Muñoz: .NET Serialization: Detecting and Defending Vulnerable Endpoints]
* https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization[OWASP Top 10 2017 Category A8] - Insecure Deserialization
* https://cwe.mitre.org/data/definitions/134.html[MITRE, CWE-134] - Use of Externally-Controlled Format String
* https://cwe.mitre.org/data/definitions/502.html[MITRE, CWE-502] - Deserialization of Untrusted Data
* https://www.sans.org/top25-software-errors/#cat2[SANS Top 25] - Risky Resource Management