rspec/rules/S5135/csharp/rule.adoc

include::../description.adoc[]

== Noncompliant Code Example

For https://docs.microsoft.com/en-us/dotnet/api/system.xml.serialization.xmlserializer?view=netframework-4.8[XmlSerializer ] serializer, the expected type should not come from user-controlled input:

----
public class XmlSerializerTestCase : Controller
{
   public ActionResult unsecuredeserialization(string typeName)
  {
     // ....
     ExpectedType obj = null;
     Type t = Type.GetType(typeName); // typeName is user-controlled
     XmlSerializer serializer = new XmlSerializer(t); // Noncompliant
     obj = (ExpectedType) serializer.Deserialize(fs);
     // ....
   }
}
----

== Compliant Solution

For https://docs.microsoft.com/en-us/dotnet/api/system.xml.serialization.xmlserializer?view=netframework-4.8[XmlSerializer ] serializer:

----
public class XmlSerializerTestCase : Controller
{
   public ActionResult securedeserialization()
  {
     // ....
     ExpectedType obj = null;
     XmlSerializer serializer = new XmlSerializer(typeof(ExpectedType)); // Compliant
     obj = (ExpectedType) serializer.Deserialize(fs);
     // ....
   }
}
----

== See

* https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/[OWASP Top 10 2021 Category A8] - Software and Data Integrity Failures
* https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization[OWASP Top 10 2017 Category A8] - Insecure Deserialization
* https://cwe.mitre.org/data/definitions/134.html[MITRE, CWE-134] - Use of Externally-Controlled Format String
* https://cwe.mitre.org/data/definitions/502.html[MITRE, CWE-502] - Deserialization of Untrusted Data
* https://www.sans.org/top25-software-errors/#cat2[SANS Top 25] - Risky Resource Management
ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::../highlighting.adoc[]

endif::env-github,rspecator-view[]