| 属性 | 值 | 
|---|---|
| 规则 ID | CA2312 | 
| 标题 | 确保在反序列化之前设置 NetDataContractSerializer.Binder | 
| 类别 | 安全性 | 
| 修复是中断修复还是非中断修复 | 非中断 | 
| 在 .NET 9 中默认启用 | 否 | 
原因
调用或引用了 System.Runtime.Serialization.NetDataContractSerializer 反序列化方法,但 Binder 属性可能为 NULL。
此规则类似于 CA2311,但无法通过分析确定 Binder 是否肯定为 NULL。
默认情况下,此规则会分析整个代码库,但这是可配置的。
警告
使用 SerializationBinder 限制类型无法阻止所有攻击。 有关详细信息,请参阅 BinaryFormatter 安全指南。
规则说明
反序列化不受信任的数据时,会对不安全的反序列化程序造成风险。 攻击者可能会修改序列化数据,使其包含非预期类型,进而注入具有不良副作用的对象。 例如,针对不安全反序列化程序的攻击可以在基础操作系统上执行命令,通过网络进行通信,或删除文件。
此规则会在 System.Runtime.Serialization.NetDataContractSerializer 可能为 NULL 时查找 Binder 反序列化方法调用或引用。 无论 NetDataContractSerializer 属性如何,如果要使用 Binder 禁止任何反序列化,请禁用此规则和 CA2311,并启用规则 CA2310。
NetDataContractSerializer 不安全,无法确保安全。 有关详细信息,请参阅 BinaryFormatter 安全指南。
如何解决冲突
- 改用安全的序列化程序,并且不允许攻击者指定要反序列化的任意类型。 有关详细信息,请参阅首选替代方案。
- 使序列化的数据免被篡改。 序列化后,对序列化的数据进行加密签名。 在反序列化之前,验证加密签名。 保护加密密钥不被泄露,并针对密钥轮换进行设计。
- 此选项使代码容易遭受拒绝服务攻击,以及将来可能会发生的远程代码执行攻击。 有关详细信息,请参阅 BinaryFormatter 安全指南。 限制反序列化的类型。 实现自定义 System.Runtime.Serialization.SerializationBinder。 在反序列化之前,请在所有代码路径中将 Binder属性设置为自定义 SerializationBinder 的实例。 在替代的 BindToType 方法中,如果类型不是预期类型,将引发异常以停止反序列化。
何时禁止显示警告
NetDataContractSerializer 不安全,无法确保安全。
配置代码以进行分析
使用下面的选项来配置代码库的哪些部分要运行此规则。
你可以仅针对此规则、针对适用的所有规则或针对此类别(安全)中适用的所有规则配置这些选项。 有关详细信息,请参阅代码质量规则配置选项。
排除特定符号
你可以通过设置 excluded_symbol_names 选项从分析中排除特定符号,例如类型和方法。 例如,若要指定规则不应针对名为 MyType 的类型中的任何代码运行,请将以下键值对添加到项目中的 .editorconfig 文件:
dotnet_code_quality.CAXXXX.excluded_symbol_names = MyType
注意
将 CAXXXX 的 XXXX 部分替换为适用规则的 ID。
选项值中允许的符号名称格式(用 | 分隔):
- 仅符号名称(包括具有相应名称的所有符号,不考虑包含的类型或命名空间)。
- 完全限定的名称,使用符号的文档 ID 格式。 每个符号名称都需要带有一个符号类型前缀,例如表示方法的 M:、表示类型的T:,以及表示命名空间的N:。
- .ctor表示构造函数,- .cctor表示静态构造函数。
示例:
| 选项值 | 总结 | 
|---|---|
| dotnet_code_quality.CAXXXX.excluded_symbol_names = MyType | 匹配名为 MyType的所有符号。 | 
| dotnet_code_quality.CAXXXX.excluded_symbol_names = MyType1|MyType2 | 匹配名为 MyType1或MyType2的所有符号。 | 
| dotnet_code_quality.CAXXXX.excluded_symbol_names = M:NS.MyType.MyMethod(ParamType) | 匹配带有指定的完全限定签名的特定方法 MyMethod。 | 
| dotnet_code_quality.CAXXXX.excluded_symbol_names = M:NS1.MyType1.MyMethod1(ParamType)|M:NS2.MyType2.MyMethod2(ParamType) | 匹配带有各自的完全限定签名的特定方法 MyMethod1和MyMethod2。 | 
排除特定类型及其派生类型
你可以通过设置 excluded_type_names_with_derived_types 选项从分析中排除特定类型及其派生类型。 例如,若要指定规则不应针对名为 MyType 的类型及其派生类型中的任何代码运行,请将以下键值对添加到项目中的 .editorconfig 文件:
dotnet_code_quality.CAXXXX.excluded_type_names_with_derived_types = MyType
注意
将 CAXXXX 的 XXXX 部分替换为适用规则的 ID。
选项值中允许的符号名称格式(用 | 分隔):
- 仅类型名称(包括具有相应名称的所有类型,不考虑包含的类型或命名空间)。
- 完全限定的名称,使用符号的文档 ID 格式,前缀为 T:(可选)。
示例:
| 选项值 | 总结 | 
|---|---|
| dotnet_code_quality.CAXXXX.excluded_type_names_with_derived_types = MyType | 匹配名为 MyType的所有类型及其所有派生类型。 | 
| dotnet_code_quality.CAXXXX.excluded_type_names_with_derived_types = MyType1|MyType2 | 匹配名为 MyType1或MyType2的所有类型及其所有派生类型。 | 
| dotnet_code_quality.CAXXXX.excluded_type_names_with_derived_types = M:NS.MyType | 匹配带有给定的完全限定名称的特定类型 MyType及其所有派生类型。 | 
| dotnet_code_quality.CAXXXX.excluded_type_names_with_derived_types = M:NS1.MyType1|M:NS2.MyType2 | 匹配带有各自的完全限定名称的特定类型 MyType1和MyType2及其所有派生类型。 | 
伪代码示例
冲突 1
using System;
using System.IO;
using System.Runtime.Serialization;
public class BookRecordSerializationBinder : SerializationBinder
{
    public override Type BindToType(string assemblyName, string typeName)
    {
        // One way to discover expected types is through testing deserialization
        // of **valid** data and logging the types used.
        ////Console.WriteLine($"BindToType('{assemblyName}', '{typeName}')");
        if (typeName == "BookRecord")
        {
            return typeof(BookRecord);
        }
        else if (typeName == "AisleLocation")
        {
            return typeof(AisleLocation);
        }
        else
        {
            throw new ArgumentException("Unexpected type", nameof(typeName));
        }
    }
}
[DataContract]
public class BookRecord
{
    [DataMember]
    public string Title { get; set; }
    [DataMember]
    public AisleLocation Location { get; set; }
}
[DataContract]
public class AisleLocation
{
    [DataMember]
    public char Aisle { get; set; }
    [DataMember]
    public byte Shelf { get; set; }
}
public class Binders
{
    public static SerializationBinder BookRecord = new BookRecordSerializationBinder();
}
public class ExampleClass
{
    public BookRecord DeserializeBookRecord(byte[] bytes)
    {
        NetDataContractSerializer serializer = new NetDataContractSerializer();
        serializer.Binder = Binders.BookRecord;
        using (MemoryStream ms = new MemoryStream(bytes))
        {
            return (BookRecord) serializer.Deserialize(ms);
        }
    }
}
Imports System
Imports System.IO
Imports System.Runtime.Serialization
Public Class BookRecordSerializationBinder
    Inherits SerializationBinder
    Public Overrides Function BindToType(assemblyName As String, typeName As String) As Type
        ' One way to discover expected types is through testing deserialization
        ' of **valid** data and logging the types used.
        'Console.WriteLine($"BindToType('{assemblyName}', '{typeName}')")
        If typeName = "BinaryFormatterVB.BookRecord" Then
            Return GetType(BookRecord)
        Else If typeName = "BinaryFormatterVB.AisleLocation" Then
            Return GetType(AisleLocation)
        Else
            Throw New ArgumentException("Unexpected type", NameOf(typeName))
        End If
    End Function
End Class
<DataContract()>
Public Class BookRecord
    <DataMember()>
    Public Property Title As String
    <DataMember()>
    Public Property Location As AisleLocation
End Class
<DataContract()>
Public Class AisleLocation
    <DataMember()>
    Public Property Aisle As Char
    <DataMember()>
    Public Property Shelf As Byte
End Class
Public Class Binders
    Public Shared Property BookRecord As SerializationBinder = New BookRecordSerializationBinder()
End Class
Public Class ExampleClass
    Public Function DeserializeBookRecord(bytes As Byte()) As BookRecord
        Dim serializer As NetDataContractSerializer = New NetDataContractSerializer()
        serializer.Binder = Binders.BookRecord
        Using ms As MemoryStream = New MemoryStream(bytes)
            Return CType(serializer.Deserialize(ms), BookRecord)   ' CA2312 violation
        End Using
    End Function
End Class
解决方案 1
using System;
using System.IO;
using System.Runtime.Serialization;
public class BookRecordSerializationBinder : SerializationBinder
{
    public override Type BindToType(string assemblyName, string typeName)
    {
        // One way to discover expected types is through testing deserialization
        // of **valid** data and logging the types used.
        ////Console.WriteLine($"BindToType('{assemblyName}', '{typeName}')");
        if (typeName == "BookRecord")
        {
            return typeof(BookRecord);
        }
        else if (typeName == "AisleLocation")
        {
            return typeof(AisleLocation);
        }
        else
        {
            throw new ArgumentException("Unexpected type", nameof(typeName));
        }
    }
}
[DataContract]
public class BookRecord
{
    [DataMember]
    public string Title { get; set; }
    [DataMember]
    public AisleLocation Location { get; set; }
}
[DataContract]
public class AisleLocation
{
    [DataMember]
    public char Aisle { get; set; }
    [DataMember]
    public byte Shelf { get; set; }
}
public class Binders
{
    public static SerializationBinder BookRecord = new BookRecordSerializationBinder();
}
public class ExampleClass
{
    public BookRecord DeserializeBookRecord(byte[] bytes)
    {
        NetDataContractSerializer serializer = new NetDataContractSerializer();
        // Ensure that Binder is always non-null before deserializing
        serializer.Binder = Binders.BookRecord ?? throw new Exception("Expected non-null");
        using (MemoryStream ms = new MemoryStream(bytes))
        {
            return (BookRecord) serializer.Deserialize(ms);
        }
    }
}
Imports System
Imports System.IO
Imports System.Runtime.Serialization
Public Class BookRecordSerializationBinder
    Inherits SerializationBinder
    Public Overrides Function BindToType(assemblyName As String, typeName As String) As Type
        ' One way to discover expected types is through testing deserialization
        ' of **valid** data and logging the types used.
        'Console.WriteLine($"BindToType('{assemblyName}', '{typeName}')")
        If typeName = "BinaryFormatterVB.BookRecord" Then
            Return GetType(BookRecord)
        Else If typeName = "BinaryFormatterVB.AisleLocation" Then
            Return GetType(AisleLocation)
        Else
            Throw New ArgumentException("Unexpected type", NameOf(typeName))
        End If
    End Function
End Class
<DataContract()>
Public Class BookRecord
    <DataMember()>
    Public Property Title As String
    <DataMember()>
    Public Property Location As AisleLocation
End Class
<DataContract()>
Public Class AisleLocation
    <DataMember()>
    Public Property Aisle As Char
    <DataMember()>
    Public Property Shelf As Byte
End Class
Public Class Binders
    Public Shared Property BookRecord As SerializationBinder = New BookRecordSerializationBinder()
End Class
Public Class ExampleClass
    Public Function DeserializeBookRecord(bytes As Byte()) As BookRecord
        Dim serializer As NetDataContractSerializer = New NetDataContractSerializer()
        ' Ensure that Binder is always non-null before deserializing
        serializer.Binder = If(Binders.BookRecord, New Exception("Expected non-null"))
        Using ms As MemoryStream = New MemoryStream(bytes)
            Return CType(serializer.Deserialize(ms), BookRecord)
        End Using
    End Function
End Class
冲突 2
using System;
using System.IO;
using System.Runtime.Serialization;
[DataContract]
public class BookRecord
{
    [DataMember]
    public string Title { get; set; }
    [DataMember]
    public string Author { get; set; }
    [DataMember]
    public int PageCount { get; set; }
    [DataMember]
    public AisleLocation Location { get; set; }
}
[DataContract]
public class AisleLocation
{
    [DataMember]
    public char Aisle { get; set; }
    [DataMember]
    public byte Shelf { get; set; }
}
public class ExampleClass
{
    public NetDataContractSerializer Serializer { get; set; }
    public BookRecord DeserializeBookRecord(byte[] bytes)
    {
        using (MemoryStream ms = new MemoryStream(bytes))
        {
            return (BookRecord) this.Serializer.Deserialize(ms);    // CA2312 violation
        }
    }
}
Imports System
Imports System.IO
Imports System.Runtime.Serialization
<DataContract()>
Public Class BookRecord
    <DataMember()>
    Public Property Title As String
    <DataMember()>
    Public Property Author As String
    <DataMember()>
    Public Property Location As AisleLocation
End Class
<DataContract()>
Public Class AisleLocation
    <DataMember()>
    Public Property Aisle As Char
    <DataMember()>
    Public Property Shelf As Byte
End Class
Public Class ExampleClass
    Public Property Serializer As NetDataContractSerializer
    Public Function DeserializeBookRecord(bytes As Byte()) As BookRecord
        Using ms As MemoryStream = New MemoryStream(bytes)
            Return CType(Me.Serializer.Deserialize(ms), BookRecord)    ' CA2312 violation
        End Using
    End Function
End Class
解决方案 2
using System;
using System.IO;
using System.Runtime.Serialization;
public class BookRecordSerializationBinder : SerializationBinder
{
    public override Type BindToType(string assemblyName, string typeName)
    {
        // One way to discover expected types is through testing deserialization
        // of **valid** data and logging the types used.
        ////Console.WriteLine($"BindToType('{assemblyName}', '{typeName}')");
        if (typeName == "BookRecord")
        {
            return typeof(BookRecord);
        }
        else if (typeName == "AisleLocation")
        {
            return typeof(AisleLocation);
        }
        else
        {
            throw new ArgumentException("Unexpected type", nameof(typeName));
        }
    }
}
[DataContract]
public class BookRecord
{
    [DataMember]
    public string Title { get; set; }
    [DataMember]
    public string Author { get; set; }
    [DataMember]
    public int PageCount { get; set; }
    [DataMember]
    public AisleLocation Location { get; set; }
}
[DataContract]
public class AisleLocation
{
    [DataMember]
    public char Aisle { get; set; }
    [DataMember]
    public byte Shelf { get; set; }
}
public class ExampleClass
{
    public BookRecord DeserializeBookRecord(byte[] bytes)
    {
        NetDataContractSerializer serializer = new NetDataContractSerializer();
        serializer.Binder = new BookRecordSerializationBinder();
        using (MemoryStream ms = new MemoryStream(bytes))
        {
            return (BookRecord) serializer.Deserialize(ms);
        }
    }
}
Imports System
Imports System.IO
Imports System.Runtime.Serialization
Public Class BookRecordSerializationBinder
    Inherits SerializationBinder
    Public Overrides Function BindToType(assemblyName As String, typeName As String) As Type
        ' One way to discover expected types is through testing deserialization
        ' of **valid** data and logging the types used.
        'Console.WriteLine($"BindToType('{assemblyName}', '{typeName}')")
        If typeName = "BinaryFormatterVB.BookRecord" Then
            Return GetType(BookRecord)
        Else If typeName = "BinaryFormatterVB.AisleLocation" Then
            Return GetType(AisleLocation)
        Else
            Throw New ArgumentException("Unexpected type", NameOf(typeName))
        End If
    End Function
End Class
<DataContract()>
Public Class BookRecord
    <DataMember()>
    Public Property Title As String
    <DataMember()>
    Public Property Author As String
    <DataMember()>
    Public Property Location As AisleLocation
End Class
<DataContract()>
Public Class AisleLocation
    <DataMember()>
    Public Property Aisle As Char
    <DataMember()>
    Public Property Shelf As Byte
End Class
Public Class ExampleClass
    Public Function DeserializeBookRecord(bytes As Byte()) As BookRecord
        Dim serializer As NetDataContractSerializer = New NetDataContractSerializer()
        serializer.Binder = New BookRecordSerializationBinder()
        Using ms As MemoryStream = New MemoryStream(bytes)
            Return CType(serializer.Deserialize(ms), BookRecord)
        End Using
    End Function
End Class