Merge pull request #6862 from Rick-Anderson/patch-1

Binary formatter not secure

Author: megvanhuygen

docs/code-quality/ca2300.md

@@ -1,6 +1,6 @@
 ---
 title: "CA2300: Do not use insecure deserializer BinaryFormatter"
-ms.date: 04/05/2019
+ms.date: 07/15/2020
 ms.topic: reference
 author: dotpaul
 ms.author: paulming
@@ -30,24 +30,17 @@ A <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter?displayPr
 
 [!INCLUDE[insecure-deserializers-description](includes/insecure-deserializers-description-md.md)]
 
-This rule finds <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter?displayProperty=nameWithType> deserialization method calls or references. If you want to deserialize only when the <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder> property is set to restrict types, disable this rule and enable rules [CA2301](ca2301.md) and [CA2302](ca2302.md) instead.
+This rule finds <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter?displayProperty=nameWithType> deserialization method calls or references. If you want to deserialize only when the <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder> property is set to restrict types, disable this rule and enable rules [CA2301](ca2301.md) and [CA2302](ca2302.md) instead. Limiting which types can be deserialized can help mitigate against known remote code execution attacks, but your deserialization will still be vulnerable to denial of service attacks.
+
+[!INCLUDE[binaryformatter](includes/binaryformatter.md)]
 
 ## How to fix violations
 
-- If possible, use a secure serializer instead, and **don't allow an attacker to specify an arbitrary type to deserialize**. Some safer serializers include:
-  - <xref:System.Runtime.Serialization.DataContractSerializer?displayProperty=nameWithType>
-  - <xref:System.Runtime.Serialization.Json.DataContractJsonSerializer?displayProperty=nameWithType>
-  - <xref:System.Web.Script.Serialization.JavaScriptSerializer?displayProperty=nameWithType> - Never use <xref:System.Web.Script.Serialization.SimpleTypeResolver?displayProperty=nameWithType>. If you must use a type resolver, restrict deserialized types to an expected list.
-  - <xref:System.Xml.Serialization.XmlSerializer?displayProperty=nameWithType>
-  - Newtonsoft Json.NET - Use TypeNameHandling.None. If you must use another value for TypeNameHandling, restrict deserialized types to an expected list with a custom ISerializationBinder.
-  - Protocol Buffers
-- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
-- Restrict deserialized types. Implement a custom <xref:System.Runtime.Serialization.SerializationBinder?displayProperty=nameWithType>. Before deserializing with <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter>, set the <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder> property to an instance of your custom <xref:System.Runtime.Serialization.SerializationBinder>. In the overridden <xref:System.Runtime.Serialization.SerializationBinder.BindToType%2A> method, if the type is unexpected, throw an exception to stop deserialization.
-  - If you restrict deserialized types, you may want to disable this rule and enable rules [CA2301](ca2301.md) and [CA2302](ca2302.md). Rules [CA2301](ca2301.md) and [CA2302](ca2302.md) help to ensure that the <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder> property is always set before deserializing.
+[!INCLUDE[fix-binaryformatter](includes/fix-binaryformatter-serializationbinder.md)]
 
 ## When to suppress warnings
 
-[!INCLUDE[insecure-deserializers-common-safe-to-suppress](includes/insecure-deserializers-common-safe-to-suppress-md.md)]
+[!INCLUDE[cannot-secure-binaryformatter](includes/cannot-secure-binaryformatter.md)]
 
 ## Pseudo-code examples
 

docs/code-quality/ca2301.md

@@ -1,6 +1,6 @@
 ---
 title: "CA2301: Do not call BinaryFormatter.Deserialize without first setting BinaryFormatter.Binder"
-ms.date: 04/05/2019
+ms.date: 07/15/2020
 ms.topic: reference
 author: dotpaul
 ms.author: paulming
@@ -28,27 +28,24 @@ A <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter?displayPr
 
 By default, this rule analyzes the entire codebase, but this is [configurable](#configurability).
 
+> [!WARNING]
+> Restricting types with a SerializationBinder can't prevent all attacks. For more information, see the [BinaryFormatter security guide](/dotnet/standard/serialization/binaryformatter-security-guide).
+
 ## Rule description
 
 [!INCLUDE[insecure-deserializers-description](includes/insecure-deserializers-description-md.md)]
 
 This rule finds <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter?displayProperty=nameWithType> deserialization method calls or references, when <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter> doesn't have its <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder> set. If you want to disallow any deserialization with <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter> regardless of the <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder> property, disable this rule and [CA2302](ca2302.md), and enable rule [CA2300](ca2300.md).
 
+
 ## How to fix violations
 
-- If possible, use a secure serializer instead, and **don't allow an attacker to specify an arbitrary type to deserialize**. Some safer serializers include:
-  - <xref:System.Runtime.Serialization.DataContractSerializer?displayProperty=nameWithType>
-  - <xref:System.Runtime.Serialization.Json.DataContractJsonSerializer?displayProperty=nameWithType>
-  - <xref:System.Web.Script.Serialization.JavaScriptSerializer?displayProperty=nameWithType> - Never use <xref:System.Web.Script.Serialization.SimpleTypeResolver?displayProperty=nameWithType>. If you must use a type resolver, restrict deserialized types to an expected list.
-  - <xref:System.Xml.Serialization.XmlSerializer?displayProperty=nameWithType>
-  - Newtonsoft Json.NET - Use TypeNameHandling.None. If you must use another value for TypeNameHandling, restrict deserialized types to an expected list with a custom ISerializationBinder.
-  - Protocol Buffers
-- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
-- Restrict deserialized types. Implement a custom <xref:System.Runtime.Serialization.SerializationBinder?displayProperty=nameWithType>. Before deserializing with <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter>, set the <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder> property to an instance of your custom <xref:System.Runtime.Serialization.SerializationBinder>. In the overridden <xref:System.Runtime.Serialization.SerializationBinder.BindToType%2A> method, if the type is unexpected, throw an exception to stop deserialization.
+
+[!INCLUDE[fix-binaryformatter-serializationbinder](includes/fix-binaryformatter-serializationbinder.md)]
 
 ## When to suppress warnings
 
-[!INCLUDE[insecure-deserializers-common-safe-to-suppress](includes/insecure-deserializers-common-safe-to-suppress-md.md)]
+`BinaryFormatter` is insecure and can't be made secure.
 
 ## Configurability
 

docs/code-quality/ca2302.md

@@ -1,6 +1,6 @@
 ---
 title: "CA2302: Ensure BinaryFormatter.Binder is set before calling BinaryFormatter.Deserialize"
-ms.date: 04/05/2019
+ms.date: 07/15/2020
 ms.topic: reference
 author: dotpaul
 ms.author: paulming
@@ -30,28 +30,23 @@ This rule is similar to [CA2301](ca2301.md), but analysis can't determine if the
 
 By default, this rule analyzes the entire codebase, but this is [configurable](#configurability).
 
+> [!WARNING]
+> Restricting types with a SerializationBinder can't prevent all attacks. For more information, see the [BinaryFormatter security guide](/dotnet/standard/serialization/binaryformatter-security-guide).
+
 ## Rule description
 
 [!INCLUDE[insecure-deserializers-description](includes/insecure-deserializers-description-md.md)]
 
 This rule finds <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter?displayProperty=nameWithType> deserialization method calls or references when the <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder> might be null. If you want to disallow any deserialization with <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter> regardless of the <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder> property, disable this rule and [CA2301](ca2301.md), and enable rule [CA2300](ca2300.md).
 
+
 ## How to fix violations
 
-- If possible, use a secure serializer instead, and **don't allow an attacker to specify an arbitrary type to deserialize**. Some safer serializers include:
-  - <xref:System.Runtime.Serialization.DataContractSerializer?displayProperty=nameWithType>
-  - <xref:System.Runtime.Serialization.Json.DataContractJsonSerializer?displayProperty=nameWithType>
-  - <xref:System.Web.Script.Serialization.JavaScriptSerializer?displayProperty=nameWithType> - Never use <xref:System.Web.Script.Serialization.SimpleTypeResolver?displayProperty=nameWithType>. If you must use a type resolver, restrict deserialized types to an expected list.
-  - <xref:System.Xml.Serialization.XmlSerializer?displayProperty=nameWithType>
-  - Newtonsoft Json.NET - Use TypeNameHandling.None. If you must use another value for TypeNameHandling, restrict deserialized types to an expected list with a custom ISerializationBinder.
-  - Protocol Buffers
-- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
-- Restrict deserialized types. Implement a custom <xref:System.Runtime.Serialization.SerializationBinder?displayProperty=nameWithType>. Before deserializing with <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter>, set the <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder> property to an instance of your custom <xref:System.Runtime.Serialization.SerializationBinder>. In the overridden <xref:System.Runtime.Serialization.SerializationBinder.BindToType%2A> method, if the type is unexpected, throw an exception to stop deserialization.
-  - Ensure that all code paths have the <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder> property set.
+[!INCLUDE[fix-binaryformatter-serializationbinder](includes/fix-binaryformatter-serializationbinder.md)]
 
 ## When to suppress warnings
 
-[!INCLUDE[insecure-deserializers-common-safe-to-suppress](includes/insecure-deserializers-common-safe-to-suppress-md.md)]
+[!INCLUDE[cannot-secure-binaryformatter](includes/cannot-secure-binaryformatter.md)]
 
 ## Configurability
 

docs/code-quality/ca2305.md

@@ -32,13 +32,16 @@ A <xref:System.Web.UI.LosFormatter?displayProperty=nameWithType> deserialization
 
 This rule finds <xref:System.Web.UI.LosFormatter?displayProperty=nameWithType> deserialization method calls or references.
 
+`LosFormatter` is insecure and can't be made secure. For more information, see the [BinaryFormatter security guide](/dotnet/standard/serialization/binaryformatter-security-guide).
+
 ## How to fix violations
 
-[!INCLUDE[insecure-deserializers-fixes-for-always-insecure-deserializers](includes/insecure-deserializers-fixes-for-always-insecure-deserializers-md.md)]
+- Use a secure serializer instead, and **don't allow an attacker to specify an arbitrary type to deserialize**. For more information see the [Preferred alternatives](/dotnet/standard/serialization/binaryformatter-security-guide#preferred-alternatives).
+- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
 
 ## When to suppress warnings
 
-[!INCLUDE[insecure-deserializers-common-safe-to-suppress](includes/insecure-deserializers-common-safe-to-suppress-md.md)]
+`LosFormatter` is insecure and can't be made secure.
 
 ## Pseudo-code examples
 

docs/code-quality/ca2310.md

@@ -30,24 +30,17 @@ A <xref:System.Runtime.Serialization.NetDataContractSerializer?displayProperty=n
 
 [!INCLUDE[insecure-deserializers-description](includes/insecure-deserializers-description-md.md)]
 
-This rule finds <xref:System.Runtime.Serialization.NetDataContractSerializer?displayProperty=nameWithType> deserialization method calls or references. If you want to deserialize only when the <xref:System.Runtime.Serialization.NetDataContractSerializer.Binder> property is set to restrict types, disable this rule and enable rules [CA2311](ca2311.md) and [CA2312](ca2312.md) instead.
+This rule finds <xref:System.Runtime.Serialization.NetDataContractSerializer?displayProperty=nameWithType> deserialization method calls or references. If you want to deserialize only when the <xref:System.Runtime.Serialization.NetDataContractSerializer.Binder> property is set to restrict types, disable this rule and enable rules [CA2311](ca2311.md) and [CA2312](ca2312.md) instead. Limiting which types can be deserialized can help mitigate against known remote code execution attacks, but your deserialization will still be vulnerable to denial of service attacks.
+
+`NetDataContractSerializer` is insecure and can't be made secure. For more information, see the [BinaryFormatter security guide](/dotnet/standard/serialization/binaryformatter-security-guide).
 
 ## How to fix violations
 
-- If possible, use a secure serializer instead, and **don't allow an attacker to specify an arbitrary type to deserialize**. Some safer serializers include:
-  - <xref:System.Runtime.Serialization.DataContractSerializer?displayProperty=nameWithType>
-  - <xref:System.Runtime.Serialization.Json.DataContractJsonSerializer?displayProperty=nameWithType>
-  - <xref:System.Web.Script.Serialization.JavaScriptSerializer?displayProperty=nameWithType> - Never use <xref:System.Web.Script.Serialization.SimpleTypeResolver?displayProperty=nameWithType>. If you must use a type resolver, restrict deserialized types to an expected list.
-  - <xref:System.Xml.Serialization.XmlSerializer?displayProperty=nameWithType>
-  - Newtonsoft Json.NET - Use TypeNameHandling.None. If you must use another value for TypeNameHandling, restrict deserialized types to an expected list with a custom ISerializationBinder.
-  - Protocol Buffers
-- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
-- Restrict deserialized types. Implement a custom <xref:System.Runtime.Serialization.SerializationBinder?displayProperty=nameWithType>. Before deserializing with <xref:System.Runtime.Serialization.NetDataContractSerializer>, set the <xref:System.Runtime.Serialization.NetDataContractSerializer.Binder> property to an instance of your custom <xref:System.Runtime.Serialization.SerializationBinder>. In the overridden <xref:System.Runtime.Serialization.SerializationBinder.BindToType%2A> method, if the type is unexpected, throw an exception to stop deserialization.
-  - If you restrict deserialized types, you may want to disable this rule and enable rules [CA2311](ca2311.md) and [CA2312](ca2312.md). Rules [CA2311](ca2311.md) and [CA2312](ca2312.md) help to ensure that the <xref:System.Runtime.Serialization.NetDataContractSerializer.Binder> property is always set before deserializing.
+[!INCLUDE[fix-binaryformatter-serializationbinder](includes/fix-binaryformatter-serializationbinder.md)]
 
 ## When to suppress warnings
 
-[!INCLUDE[insecure-deserializers-common-safe-to-suppress](includes/insecure-deserializers-common-safe-to-suppress-md.md)]
+`NetDataContractSerializer` is insecure and can't be made secure.
 
 ## Pseudo-code examples
 

docs/code-quality/ca2311.md

@@ -28,27 +28,23 @@ A <xref:System.Runtime.Serialization.NetDataContractSerializer?displayProperty=n
 
 By default, this rule analyzes the entire codebase, but this is [configurable](#configurability).
 
+> [!WARNING]
+> Restricting types with a SerializationBinder can't prevent all attacks. For more information, see the [BinaryFormatter security guide](/dotnet/standard/serialization/binaryformatter-security-guide).
+
 ## Rule description
 
 [!INCLUDE[insecure-deserializers-description](includes/insecure-deserializers-description-md.md)]
 
 This rule finds <xref:System.Runtime.Serialization.NetDataContractSerializer?displayProperty=nameWithType> deserialization method calls or references, when <xref:System.Runtime.Serialization.NetDataContractSerializer> doesn't have its <xref:System.Runtime.Serialization.NetDataContractSerializer.Binder> set. If you want to disallow any deserialization with <xref:System.Runtime.Serialization.NetDataContractSerializer> regardless of the <xref:System.Runtime.Serialization.NetDataContractSerializer.Binder> property, disable this rule and [CA2312](ca2312.md), and enable rule [CA2310](ca2310.md).
 
+
 ## How to fix violations
 
-- If possible, use a secure serializer instead, and **don't allow an attacker to specify an arbitrary type to deserialize**. Some safer serializers include:
-  - <xref:System.Runtime.Serialization.DataContractSerializer?displayProperty=nameWithType>
-  - <xref:System.Runtime.Serialization.Json.DataContractJsonSerializer?displayProperty=nameWithType>
-  - <xref:System.Web.Script.Serialization.JavaScriptSerializer?displayProperty=nameWithType> - Never use <xref:System.Web.Script.Serialization.SimpleTypeResolver?displayProperty=nameWithType>. If you must use a type resolver, restrict deserialized types to an expected list.
-  - <xref:System.Xml.Serialization.XmlSerializer?displayProperty=nameWithType>
-  - Newtonsoft Json.NET - Use TypeNameHandling.None. If you must use another value for TypeNameHandling, restrict deserialized types to an expected list with a custom ISerializationBinder.
-  - Protocol Buffers
-- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
-- Restrict deserialized types. Implement a custom <xref:System.Runtime.Serialization.SerializationBinder?displayProperty=nameWithType>. Before deserializing with <xref:System.Runtime.Serialization.NetDataContractSerializer>, set the <xref:System.Runtime.Serialization.NetDataContractSerializer.Binder> property to an instance of your custom <xref:System.Runtime.Serialization.SerializationBinder>. In the overridden <xref:System.Runtime.Serialization.SerializationBinder.BindToType%2A> method, if the type is unexpected, throw an exception to stop deserialization.
+[!INCLUDE[fix-binaryformatter-serializationbinder](includes/fix-binaryformatter-serializationbinder.md)]
 
 ## When to suppress warnings
 
-[!INCLUDE[insecure-deserializers-common-safe-to-suppress](includes/insecure-deserializers-common-safe-to-suppress-md.md)]
+`NetDataContractSerializer` is insecure and can't be made secure.
 
 ## Configurability