111 lines
3.1 KiB
Plaintext
111 lines
3.1 KiB
Plaintext
== Why is this an issue?
|
|
|
|
Because serialization constructors allocate and initialize objects, security checks that are present on regular constructors must also be present on a serialization constructor. Failure to do so would allow callers that could not otherwise create an instance to use the serialization constructor to do this.
|
|
|
|
|
|
This rule raises an issue when a type implements the ``++System.Runtime.Serialization.ISerializable++`` interface, is not a delegate or interface, is declared in an assembly that allows partially trusted callers and has a constructor that takes a ``++System.Runtime.Serialization.SerializationInfo++`` object and a ``++System.Runtime.Serialization.StreamingContext++`` object which is not secured by a security check, but one or more of the regular constructors in the type is secured.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,csharp]
|
|
----
|
|
using System;
|
|
using System.IO;
|
|
using System.Runtime.Serialization;
|
|
using System.Runtime.Serialization.Formatters.Binary;
|
|
using System.Security;
|
|
using System.Security.Permissions;
|
|
|
|
[assembly: AllowPartiallyTrustedCallersAttribute()]
|
|
namespace MyLibrary
|
|
{
|
|
[Serializable]
|
|
public class Foo : ISerializable
|
|
{
|
|
private int n;
|
|
|
|
[FileIOPermissionAttribute(SecurityAction.Demand, Unrestricted = true)]
|
|
public Foo()
|
|
{
|
|
n = -1;
|
|
}
|
|
|
|
protected Foo(SerializationInfo info, StreamingContext context) // Noncompliant
|
|
{
|
|
n = (int)info.GetValue("n", typeof(int));
|
|
}
|
|
|
|
void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context)
|
|
{
|
|
info.AddValue("n", n);
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
[source,csharp]
|
|
----
|
|
using System;
|
|
using System.IO;
|
|
using System.Runtime.Serialization;
|
|
using System.Runtime.Serialization.Formatters.Binary;
|
|
using System.Security;
|
|
using System.Security.Permissions;
|
|
|
|
[assembly: AllowPartiallyTrustedCallersAttribute()]
|
|
namespace MyLibrary
|
|
{
|
|
[Serializable]
|
|
public class Foo : ISerializable
|
|
{
|
|
private int n;
|
|
|
|
[FileIOPermissionAttribute(SecurityAction.Demand, Unrestricted = true)]
|
|
public Foo()
|
|
{
|
|
n = -1;
|
|
}
|
|
|
|
[FileIOPermissionAttribute(SecurityAction.Demand, Unrestricted = true)]
|
|
protected Foo(SerializationInfo info, StreamingContext context)
|
|
{
|
|
n = (int)info.GetValue("n", typeof(int));
|
|
}
|
|
|
|
void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context)
|
|
{
|
|
info.AddValue("n", n);
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
|
|
== Resources
|
|
|
|
* OWASP - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[Top 10 2021 Category A8 - Software and Data Integrity Failures]
|
|
* OWASP - https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[Top 10 2017 Category A8 - Insecure Deserialization ]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Secure this serialization constructor.
|
|
|
|
|
|
=== Highlighting
|
|
|
|
Primary: Serialization constructor declaration
|
|
|
|
|
|
endif::env-github,rspecator-view[]
|