序列化检查绕过¶
ID: cs/serialization-check-bypass
Kind: problem
Security severity: 7.8
Severity: warning
Precision: medium
Tags:
- security
- external/cwe/cwe-20
Query suites:
- csharp-security-extended.qls
- csharp-security-and-quality.qls
应该验证反序列化的字段,否则反序列化的对象可能包含无效数据。
此查询查找在构造函数中验证但未在反序列化方法中验证的字段的情况。这表明反序列化方法缺少验证步骤。
建议¶
如果需要验证字段,请确保在反序列化期间也执行验证。
示例¶
以下示例在构造函数中验证了 Age 字段,但在反序列化方法中未验证
using System;
using System.Runtime.Serialization;
[Serializable]
public class PersonBad : ISerializable
{
public int Age;
public PersonBad(int age)
{
if (age < 0)
throw new ArgumentException(nameof(age));
Age = age;
}
[OnDeserializing]
void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context)
{
Age = info.GetInt32("age"); // BAD - write is unsafe
}
}
通过将验证添加到反序列化方法来解决此问题,如下所示
using System;
using System.Runtime.Serialization;
[Serializable]
public class PersonGood : ISerializable
{
public int Age;
public PersonGood(int age)
{
if (age < 0)
throw new ArgumentException(nameof(age));
Age = age;
}
[OnDeserializing]
void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context)
{
int age = info.GetInt32("age");
if (age < 0)
throw new SerializationException(nameof(Age));
Age = age; // GOOD - write is safe
}
}