MicrosoftDocs
diff --git a/‎docs/code-quality/ca2300-do-not-use-insecure-deserializer-binaryformatter.md
Lines changed: 6 additions & 3 deletions b/‎docs/code-quality/ca2300-do-not-use-insecure-deserializer-binaryformatter.md
Lines changed: 6 additions & 3 deletions
diff --git a/‎docs/code-quality/ca2301-do-not-call-binaryformatter-deserialize-without-first-setting-binaryformatter-binder.md
Lines changed: 6 additions & 3 deletions b/‎docs/code-quality/ca2301-do-not-call-binaryformatter-deserialize-without-first-setting-binaryformatter-binder.md
Lines changed: 6 additions & 3 deletions
diff --git a/‎docs/code-quality/ca2302-ensure-binaryformatter-binder-is-set-before-calling-binaryformatter-deserialize.md
Lines changed: 6 additions & 3 deletions b/‎docs/code-quality/ca2302-ensure-binaryformatter-binder-is-set-before-calling-binaryformatter-deserialize.md
Lines changed: 6 additions & 3 deletions
diff --git a/‎docs/code-quality/ca2305-do-not-use-insecure-deserializer-losformatter.md
Lines changed: 72 additions & 0 deletions b/‎docs/code-quality/ca2305-do-not-use-insecure-deserializer-losformatter.md
Lines changed: 72 additions & 0 deletions
diff --git a/‎docs/code-quality/ca2310-do-not-use-insecure-deserializer-netdatacontractserializer.md
Lines changed: 87 additions & 0 deletions b/‎docs/code-quality/ca2310-do-not-use-insecure-deserializer-netdatacontractserializer.md
Lines changed: 87 additions & 0 deletions
@@ -10,6 +10,9 @@ dev_langs:
  - VB
 ms.workload:
   - "multiple"
+f1_keywords:
+  - "CA2300"
+  - "DoNotUseInsecureDeserializerBinaryFormatter"
 ---
 # CA2300: Do not use insecure deserializer BinaryFormatter
 
@@ -37,10 +40,10 @@ This rule finds <xref:System.Runtime.Serialization.Formatters.Binary.BinaryForma
   - <xref:System.Runtime.Serialization.Json.DataContractJsonSerializer?displayProperty=nameWithType>
   - <xref:System.Web.Script.Serialization.JavaScriptSerializer?displayProperty=nameWithType> - Never use <xref:System.Web.Script.Serialization.SimpleTypeResolver?displayProperty=nameWithType>. If you must use a type resolver, restrict deserialized types to an expected list.
   - <xref:System.Xml.Serialization.XmlSerializer?displayProperty=nameWithType>
-  - NewtonSoft Json.NET - Use TypeNameHandling.None. If you must use another value for TypeNameHandling, restrict deserialized types to an expected list with a custom ISerializationBinder.
+  - Newtonsoft Json.NET - Use TypeNameHandling.None. If you must use another value for TypeNameHandling, restrict deserialized types to an expected list with a custom ISerializationBinder.
   - Protocol Buffers
-- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed, and design for key rotations.
-- Restrict deserialized types. Implement a custom <xref:System.Runtime.Serialization.SerializationBinder?displayProperty=nameWithType>. Before deserializing with <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter>, set the <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder> property to an instance of your custom <xref:System.Runtime.Serialization.SerializationBinder>. In the overridden <xref:System.Runtime.Serialization.SerializationBinder.BindToType%2A> method, if the type is unexpected then throw an exception.
+- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
+- Restrict deserialized types. Implement a custom <xref:System.Runtime.Serialization.SerializationBinder?displayProperty=nameWithType>. Before deserializing with <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter>, set the <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder> property to an instance of your custom <xref:System.Runtime.Serialization.SerializationBinder>. In the overridden <xref:System.Runtime.Serialization.SerializationBinder.BindToType%2A> method, if the type is unexpected, throw an exception.
 - If you restrict deserialized types, you may want to disable this rule and enable rules [CA2301](ca2301-do-not-call-binaryformatter-deserialize-without-first-setting-binaryformatter-binder.md) and [CA2302](ca2302-ensure-binaryformatter-binder-is-set-before-calling-binaryformatter-deserialize.md). Rules [CA2301](ca2301-do-not-call-binaryformatter-deserialize-without-first-setting-binaryformatter-binder.md) and [CA2302](ca2302-ensure-binaryformatter-binder-is-set-before-calling-binaryformatter-deserialize.md) help to ensure that the <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder> property is always set before deserializing.
 
 ## When to suppress warnings
 
@@ -10,6 +10,9 @@ dev_langs:
  - VB
 ms.workload:
   - "multiple"
+f1_keywords:
+  - "CA2301"
+  - "DoNotCallBinaryFormatterDeserializeWithoutFirstSettingBinaryFormatterBinder"
 ---
 # CA2301: Do not call BinaryFormatter.Deserialize without first setting BinaryFormatter.Binder
 
@@ -37,10 +40,10 @@ This rule finds <xref:System.Runtime.Serialization.Formatters.Binary.BinaryForma
   - <xref:System.Runtime.Serialization.Json.DataContractJsonSerializer?displayProperty=nameWithType>
   - <xref:System.Web.Script.Serialization.JavaScriptSerializer?displayProperty=nameWithType> - Never use <xref:System.Web.Script.Serialization.SimpleTypeResolver?displayProperty=nameWithType>. If you must use a type resolver, restrict deserialized types to an expected list.
   - <xref:System.Xml.Serialization.XmlSerializer?displayProperty=nameWithType>
-  - NewtonSoft Json.NET - Use TypeNameHandling.None. If you must use another value for TypeNameHandling, restrict deserialized types to an expected list with a custom ISerializationBinder.
+  - Newtonsoft Json.NET - Use TypeNameHandling.None. If you must use another value for TypeNameHandling, restrict deserialized types to an expected list with a custom ISerializationBinder.
   - Protocol Buffers
-- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed, and design for key rotations.
-- Restrict deserialized types. Implement a custom <xref:System.Runtime.Serialization.SerializationBinder?displayProperty=nameWithType>. Before deserializing with <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter>, set the <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder> property to an instance of your custom <xref:System.Runtime.Serialization.SerializationBinder>. In the overridden <xref:System.Runtime.Serialization.SerializationBinder.BindToType%2A> method, if the type is unexpected then throw an exception.
+- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
+- Restrict deserialized types. Implement a custom <xref:System.Runtime.Serialization.SerializationBinder?displayProperty=nameWithType>. Before deserializing with <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter>, set the <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder> property to an instance of your custom <xref:System.Runtime.Serialization.SerializationBinder>. In the overridden <xref:System.Runtime.Serialization.SerializationBinder.BindToType%2A> method, if the type is unexpected, throw an exception.
 
 ## When to suppress warnings
 
 
@@ -10,6 +10,9 @@ dev_langs:
  - VB
 ms.workload:
   - "multiple"
+f1_keywords:
+  - "CA2302"
+  - "EnsureBinaryFormatterBinderIsSetBeforeCallingBinaryFormatterDeserialize"
 ---
 # CA2302: Ensure BinaryFormatter.Binder is set before calling BinaryFormatter.Deserialize
 
@@ -37,10 +40,10 @@ This rule finds <xref:System.Runtime.Serialization.Formatters.Binary.BinaryForma
   - <xref:System.Runtime.Serialization.Json.DataContractJsonSerializer?displayProperty=nameWithType>
   - <xref:System.Web.Script.Serialization.JavaScriptSerializer?displayProperty=nameWithType> - Never use <xref:System.Web.Script.Serialization.SimpleTypeResolver?displayProperty=nameWithType>. If you must use a type resolver, restrict deserialized types to an expected list.
   - <xref:System.Xml.Serialization.XmlSerializer?displayProperty=nameWithType>
-  - NewtonSoft Json.NET - Use TypeNameHandling.None. If you must use another value for TypeNameHandling, restrict deserialized types to an expected list with a custom ISerializationBinder.
+  - Newtonsoft Json.NET - Use TypeNameHandling.None. If you must use another value for TypeNameHandling, restrict deserialized types to an expected list with a custom ISerializationBinder.
   - Protocol Buffers
-- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed, and design for key rotations.
-- Restrict deserialized types. Implement a custom <xref:System.Runtime.Serialization.SerializationBinder?displayProperty=nameWithType>. Before deserializing with <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter>, set the <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder> property to an instance of your custom <xref:System.Runtime.Serialization.SerializationBinder>. In the overridden <xref:System.Runtime.Serialization.SerializationBinder.BindToType%2A> method, if the type is unexpected then throw an exception.
+- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
+- Restrict deserialized types. Implement a custom <xref:System.Runtime.Serialization.SerializationBinder?displayProperty=nameWithType>. Before deserializing with <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter>, set the <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder> property to an instance of your custom <xref:System.Runtime.Serialization.SerializationBinder>. In the overridden <xref:System.Runtime.Serialization.SerializationBinder.BindToType%2A> method, if the type is unexpected, throw an exception.
   - Ensure that all code paths have the <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder> property set.
 
 ## When to suppress warnings
 
@@ -0,0 +1,72 @@
+---
+title: "CA2305: Do not use insecure deserializer LosFormatter"
+ms.date: 05/01/2019
+ms.topic: reference
+author: dotpaul
+ms.author: paulming
+manager: jillfra
+dev_langs:
+ - CSharp
+ - VB
+ms.workload:
+  - "multiple"
+f1_keywords:
+  - "CA2305"
+  - "DoNotUseInsecureDeserializerLosFormatter"
+---
+# CA2305: Do not use insecure deserializer LosFormatter
+
+|||
+|-|-|
+|TypeName|DoNotUseInsecureDeserializerLosFormatter|
+|CheckId|CA2305|
+|Category|Microsoft.Security|
+|Breaking Change|Non Breaking|
+
+## Cause
+
+A <xref:System.Web.UI.LosFormatter?displayProperty=nameWithType> deserialization method was called or referenced.
+
+## Rule description
+
+[!INCLUDE[insecure-deserializers-description](includes/insecure-deserializers-description-md.md)]
+
+This rule finds <xref:System.Web.UI.LosFormatter?displayProperty=nameWithType> deserialization method calls or references.
+
+## How to fix violations
+
+[!INCLUDE[insecure-deserializers-fixes-for-always-insecure-deserializers](includes/insecure-deserializers-fixes-for-always-insecure-deserializers-md.md)]
+
+## When to suppress warnings
+
+[!INCLUDE[insecure-deserializers-common-safe-to-suppress](includes/insecure-deserializers-common-safe-to-suppress-md.md)]
+
+## Pseudo-code examples
+
+### Violation
+
+```csharp
+using System.IO;
+using System.Web.UI;
+
+public class ExampleClass
+{
+    public object MyDeserialize(byte[] bytes)
+    {
+        LosFormatter formatter = new LosFormatter();
+        return formatter.Deserialize(new MemoryStream(bytes));
+    }
+}
+```
+
+```vb
+Imports System.IO
+Imports System.Web.UI
+
+Public Class ExampleClass
+    Public Function MyDeserialize(bytes As Byte()) As Object
+        Dim formatter As LosFormatter = New LosFormatter()
+        Return formatter.Deserialize(New MemoryStream(bytes))
+    End Function
+End Class
+```
@@ -0,0 +1,87 @@
+---
+title: "CA2310: Do not use insecure deserializer NetDataContractSerializer"
+ms.date: 05/01/2019
+ms.topic: reference
+author: dotpaul
+ms.author: paulming
+manager: jillfra
+dev_langs:
+ - CSharp
+ - VB
+ms.workload:
+  - "multiple"
+f1_keywords:
+  - "CA2310"
+  - "DoNotUseInsecureDeserializerNetDataContractSerializer"
+---
+# CA2310: Do not use insecure deserializer NetDataContractSerializer
+
+|||
+|-|-|
+|TypeName|DoNotUseInsecureDeserializerNetDataContractSerializer|
+|CheckId|CA2310|
+|Category|Microsoft.Security|
+|Breaking Change|Non Breaking|
+
+## Cause
+
+A <xref:System.Runtime.Serialization.NetDataContractSerializer?displayProperty=nameWithType> deserialization method was called or referenced.
+
+## Rule description
+
+[!INCLUDE[insecure-deserializers-description](includes/insecure-deserializers-description-md.md)]
+
+This rule finds <xref:System.Runtime.Serialization.NetDataContractSerializer?displayProperty=nameWithType> deserialization method calls or references. If you want to deserialize only when the <xref:System.Runtime.Serialization.NetDataContractSerializer.Binder> property is set to restrict types, disable this rule and enable rules [CA2311](ca2311-do-not-deserialize-without-first-setting-netdatacontractserializer-binder.md) and [CA2312](ca2312-ensure-netdatacontractserializer-binder-is-set-before-deserializing.md) instead.
+
+## How to fix violations
+
+- If possible, use a secure serializer instead, and **don't allow an attacker to specify an arbitrary type to deserialize**. Some safer serializers include:
+  - <xref:System.Runtime.Serialization.DataContractSerializer?displayProperty=nameWithType>
+  - <xref:System.Runtime.Serialization.Json.DataContractJsonSerializer?displayProperty=nameWithType>
+  - <xref:System.Web.Script.Serialization.JavaScriptSerializer?displayProperty=nameWithType> - Never use <xref:System.Web.Script.Serialization.SimpleTypeResolver?displayProperty=nameWithType>. If you must use a type resolver, restrict deserialized types to an expected list.
+  - <xref:System.Xml.Serialization.XmlSerializer?displayProperty=nameWithType>
+  - Newtonsoft Json.NET - Use TypeNameHandling.None. If you must use another value for TypeNameHandling, restrict deserialized types to an expected list with a custom ISerializationBinder.
+  - Protocol Buffers
+- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
+- Restrict deserialized types. Implement a custom <xref:System.Runtime.Serialization.SerializationBinder?displayProperty=nameWithType>. Before deserializing with <xref:System.Runtime.Serialization.NetDataContractSerializer>, set the <xref:System.Runtime.Serialization.NetDataContractSerializer.Binder> property to an instance of your custom <xref:System.Runtime.Serialization.SerializationBinder>. In the overridden <xref:System.Runtime.Serialization.SerializationBinder.BindToType%2A> method, if the type is unexpected, throw an exception.
+- If you restrict deserialized types, you may want to disable this rule and enable rules [CA2311](ca2311-do-not-deserialize-without-first-setting-netdatacontractserializer-binder.md) and [CA2312](ca2312-ensure-netdatacontractserializer-binder-is-set-before-deserializing.md). Rules [CA2311](ca2311-do-not-deserialize-without-first-setting-netdatacontractserializer-binder.md) and [CA2312](ca2312-ensure-netdatacontractserializer-binder-is-set-before-deserializing.md) help to ensure that the <xref:System.Runtime.Serialization.NetDataContractSerializer.Binder> property is always set before deserializing.
+
+## When to suppress warnings
+
+[!INCLUDE[insecure-deserializers-common-safe-to-suppress](includes/insecure-deserializers-common-safe-to-suppress-md.md)]
+
+## Pseudo-code examples
+
+### Violation
+
+```csharp
+using System.IO;
+using System.Runtime.Serialization;
+
+public class ExampleClass
+{
+    public object MyDeserialize(byte[] bytes)
+    {
+        NetDataContractSerializer serializer = new NetDataContractSerializer();
+        return serializer.Deserialize(new MemoryStream(bytes));
+    }
+}
+```
+
+```vb
+Imports System.IO
+Imports System.Runtime.Serialization
+
+Public Class ExampleClass
+    Public Function MyDeserialize(bytes As Byte()) As Object
+        Dim serializer As NetDataContractSerializer = New NetDataContractSerializer()
+        Return serializer.Deserialize(New MemoryStream(bytes))
+    End Function
+End Class
+```
+
+## Related rules
+
+[CA2311: Do not deserialize without first setting NetDataContractSerializer.Binder](ca2311-do-not-deserialize-without-first-setting-netdatacontractserializer-binder.md)
+
+[CA2312: Ensure NetDataContractSerializer.Binder is set before deserializing](ca2312-ensure-netdatacontractserializer-binder-is-set-before-deserializing.md)