Details

    • Type: Language-Specification
    • Status: Active
    • Resolution: Unresolved
    • Labels:
      None
    • Impact:
      Unknown 'null' severity
    • Likelihood:
      Unknown 'null' severity

      Description

      Noncompliant Code Example

      For XmlSerializer serializer, the expected type should not come from user-controlled input:

      public class XmlSerializerTestCase : Controller
      {
         public ActionResult unsecuredeserialization(string typeName)
        {
           // ....
           ExpectedType obj = null;
           Type t = Type.GetType(typeName); // typeName is user-controlled
           XmlSerializer serializer = new XmlSerializer(t); // Noncompliant
           obj = (ExpectedType) serializer.Deserialize(fs);
           // ....
         }
      }
      

      Compliant Solution

      For XmlSerializer serializer:

      public class XmlSerializerTestCase : Controller
      {
         public ActionResult securedeserialization()
        {
           // ....
           ExpectedType obj = null;
           XmlSerializer serializer = new XmlSerializer(typeof(ExpectedType)); // Compliant
           obj = (ExpectedType) serializer.Deserialize(fs);
           // ....
         }
      }
      

      See

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              alexandre.gigleux Alexandre Gigleux
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: