101 lines
2.9 KiB
Plaintext
101 lines
2.9 KiB
Plaintext
Because serialization constructors allocate and initialize objects, security checks that are present on regular constructors must also be present on a serialization constructor. Failure to do so would allow callers that could not otherwise create an instance to use the serialization constructor to do this.
|
|
|
|
|
|
This rule raises an issue when a type implements the ``++System.Runtime.Serialization.ISerializable++`` interface, is not a delegate or interface, is declared in an assembly that allows partially trusted callers and has a constructor that takes a ``++System.Runtime.Serialization.SerializationInfo++`` object and a ``++System.Runtime.Serialization.StreamingContext++`` object which is not secured by a security check, but one or more of the regular constructors in the type is secured.
|
|
|
|
|
|
== Noncompliant Code Example
|
|
|
|
----
|
|
using System;
|
|
using System.IO;
|
|
using System.Runtime.Serialization;
|
|
using System.Runtime.Serialization.Formatters.Binary;
|
|
using System.Security;
|
|
using System.Security.Permissions;
|
|
|
|
[assembly: AllowPartiallyTrustedCallersAttribute()]
|
|
namespace MyLibrary
|
|
{
|
|
[Serializable]
|
|
public class Foo : ISerializable
|
|
{
|
|
private int n;
|
|
|
|
[FileIOPermissionAttribute(SecurityAction.Demand, Unrestricted = true)]
|
|
public Foo()
|
|
{
|
|
n = -1;
|
|
}
|
|
|
|
protected Foo(SerializationInfo info, StreamingContext context) // Noncompliant
|
|
{
|
|
n = (int)info.GetValue("n", typeof(int));
|
|
}
|
|
|
|
void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context)
|
|
{
|
|
info.AddValue("n", n);
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
----
|
|
using System;
|
|
using System.IO;
|
|
using System.Runtime.Serialization;
|
|
using System.Runtime.Serialization.Formatters.Binary;
|
|
using System.Security;
|
|
using System.Security.Permissions;
|
|
|
|
[assembly: AllowPartiallyTrustedCallersAttribute()]
|
|
namespace MyLibrary
|
|
{
|
|
[Serializable]
|
|
public class Foo : ISerializable
|
|
{
|
|
private int n;
|
|
|
|
[FileIOPermissionAttribute(SecurityAction.Demand, Unrestricted = true)]
|
|
public Foo()
|
|
{
|
|
n = -1;
|
|
}
|
|
|
|
[FileIOPermissionAttribute(SecurityAction.Demand, Unrestricted = true)]
|
|
protected Foo(SerializationInfo info, StreamingContext context)
|
|
{
|
|
n = (int)info.GetValue("n", typeof(int));
|
|
}
|
|
|
|
void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context)
|
|
{
|
|
info.AddValue("n", n);
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
|
|
== See
|
|
|
|
* https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[OWASP Top 10 2021 Category A8] - Software and Data Integrity Failures
|
|
* https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization[OWASP Top 10 2017 Category A8] - Insecure Deserialization
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::message.adoc[]
|
|
|
|
include::highlighting.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|