org.sonar.plugins.csharp.S4212.html Maven / Gradle / Ivy
This rule is deprecated, and will eventually be removed.
Why is this an issue?
Because serialization constructors allocate and initialize objects, security checks that are present on regular constructors must also be present
on a serialization constructor. Failure to do so would allow callers that could not otherwise create an instance to use the serialization constructor
to do this.
This rule raises an issue when a type implements the System.Runtime.Serialization.ISerializable
interface, is not a delegate or
interface, is declared in an assembly that allows partially trusted callers and has a constructor that takes a
System.Runtime.Serialization.SerializationInfo
object and a System.Runtime.Serialization.StreamingContext
object which is
not secured by a security check, but one or more of the regular constructors in the type is secured.
Noncompliant code example
using System;
using System.IO;
using System.Runtime.Serialization;
using System.Runtime.Serialization.Formatters.Binary;
using System.Security;
using System.Security.Permissions;
[assembly: AllowPartiallyTrustedCallersAttribute()]
namespace MyLibrary
{
[Serializable]
public class Foo : ISerializable
{
private int n;
[FileIOPermissionAttribute(SecurityAction.Demand, Unrestricted = true)]
public Foo()
{
n = -1;
}
protected Foo(SerializationInfo info, StreamingContext context) // Noncompliant
{
n = (int)info.GetValue("n", typeof(int));
}
void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context)
{
info.AddValue("n", n);
}
}
}
Compliant solution
using System;
using System.IO;
using System.Runtime.Serialization;
using System.Runtime.Serialization.Formatters.Binary;
using System.Security;
using System.Security.Permissions;
[assembly: AllowPartiallyTrustedCallersAttribute()]
namespace MyLibrary
{
[Serializable]
public class Foo : ISerializable
{
private int n;
[FileIOPermissionAttribute(SecurityAction.Demand, Unrestricted = true)]
public Foo()
{
n = -1;
}
[FileIOPermissionAttribute(SecurityAction.Demand, Unrestricted = true)]
protected Foo(SerializationInfo info, StreamingContext context)
{
n = (int)info.GetValue("n", typeof(int));
}
void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context)
{
info.AddValue("n", n);
}
}
}
Resources