Skip to content

Fix git push error for protected CLA branch #3208

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 33 commits into from
May 6, 2019
Merged

Fix git push error for protected CLA branch #3208

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
7c3bc0e
TOC preview - set to true
ghogen Apr 12, 2019
97dc3df
Merge branch 'master' of github.com:MicrosoftDocs/visualstudio-docs-pr
ghogen Apr 22, 2019
4bcd5da
Start working on debug/edit topic
ghogen Apr 25, 2019
d334cc2
add minimum version
gewarren Apr 30, 2019
02f9ecf
add 16.0.3 data
TerryGLee Apr 30, 2019
02b8b78
Replace backtick with HTML code to fix localization build issue
May 1, 2019
21dd14d
More deserialization rules
dotpaul May 1, 2019
f2669f0
Updating TOC and security rules list
dotpaul May 1, 2019
f0d7d14
initial draft - How to view and diagnose containers
ghogen May 2, 2019
934071a
set moniker range
ghogen May 2, 2019
5f67da0
add Logs screenshot
ghogen May 2, 2019
a492a1c
Apply suggestions from code review
gewarren May 2, 2019
c9fc8de
More review feedback
dotpaul May 2, 2019
fb83ba2
Use the correct sample VB code for CA2311 instead of incorrect sample…
dotpaul May 2, 2019
359036c
remove section that wasn't complete yet
ghogen May 2, 2019
36cff3a
Mike's feedback
ghogen May 2, 2019
7c4fc22
toc work
ghogen May 2, 2019
244e7ec
add new image
ghogen May 2, 2019
d774af0
Hani's feedback
ghogen May 3, 2019
7bc43a1
change wording slightly
ghogen May 3, 2019
4f37e6d
feedback incorporated
ghogen May 3, 2019
d73fed9
Update code-analysis-for-c-cpp-overview.md
May 3, 2019
7316ff5
Acrolinx fix, remove colon in H1 per Microsoft style
ktoliver May 3, 2019
643e67e
Revert "TOC preview - set to true"
ghogen May 3, 2019
8668293
Merge branch 'container-tools-window' of github.com:ghogen/vsdocs int…
ghogen May 3, 2019
df75071
Merge pull request #4550 from dotpaul/MoreDeserializationRules
ShannonLeavitt May 6, 2019
6a759b0
Merge pull request #4552 from ghogen/container-tools-window
ShannonLeavitt May 6, 2019
df6066d
Merge pull request #4554 from craigcaseyMSFT/patch-1
PRMerger7 May 6, 2019
9d5f29f
Merge pull request #4549 from dksimpson/locale-fix-C78759
PRMerger7 May 6, 2019
9453c73
Merge pull request #4548 from TerryGLee/tglee-vsrelease
PRMerger7 May 6, 2019
5768462
Merge pull request #4545 from gewarren/donotload
PRMerger7 May 6, 2019
db30651
Merge pull request #4559 from MicrosoftDocs/master
Taojunshen May 6, 2019
c1d9856
Merging changes synced from https://github.com/MicrosoftDocs/visualst…
gewarren May 6, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions docs/code-quality/ca2300-do-not-use-insecure-deserializer-binaryformatter.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ dev_langs:
- VB
ms.workload:
- "multiple"
f1_keywords:
- "CA2300"
- "DoNotUseInsecureDeserializerBinaryFormatter"
---
# CA2300: Do not use insecure deserializer BinaryFormatter

Expand Down Expand Up @@ -37,10 +40,10 @@ This rule finds <xref:System.Runtime.Serialization.Formatters.Binary.BinaryForma
- <xref:System.Runtime.Serialization.Json.DataContractJsonSerializer?displayProperty=nameWithType>
- <xref:System.Web.Script.Serialization.JavaScriptSerializer?displayProperty=nameWithType> - Never use <xref:System.Web.Script.Serialization.SimpleTypeResolver?displayProperty=nameWithType>. If you must use a type resolver, restrict deserialized types to an expected list.
- <xref:System.Xml.Serialization.XmlSerializer?displayProperty=nameWithType>
- NewtonSoft Json.NET - Use TypeNameHandling.None. If you must use another value for TypeNameHandling, restrict deserialized types to an expected list with a custom ISerializationBinder.
- Newtonsoft Json.NET - Use TypeNameHandling.None. If you must use another value for TypeNameHandling, restrict deserialized types to an expected list with a custom ISerializationBinder.
- Protocol Buffers
- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed, and design for key rotations.
- Restrict deserialized types. Implement a custom <xref:System.Runtime.Serialization.SerializationBinder?displayProperty=nameWithType>. Before deserializing with <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter>, set the <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder> property to an instance of your custom <xref:System.Runtime.Serialization.SerializationBinder>. In the overridden <xref:System.Runtime.Serialization.SerializationBinder.BindToType%2A> method, if the type is unexpected then throw an exception.
- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
- Restrict deserialized types. Implement a custom <xref:System.Runtime.Serialization.SerializationBinder?displayProperty=nameWithType>. Before deserializing with <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter>, set the <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder> property to an instance of your custom <xref:System.Runtime.Serialization.SerializationBinder>. In the overridden <xref:System.Runtime.Serialization.SerializationBinder.BindToType%2A> method, if the type is unexpected, throw an exception.
- If you restrict deserialized types, you may want to disable this rule and enable rules [CA2301](ca2301-do-not-call-binaryformatter-deserialize-without-first-setting-binaryformatter-binder.md) and [CA2302](ca2302-ensure-binaryformatter-binder-is-set-before-calling-binaryformatter-deserialize.md). Rules [CA2301](ca2301-do-not-call-binaryformatter-deserialize-without-first-setting-binaryformatter-binder.md) and [CA2302](ca2302-ensure-binaryformatter-binder-is-set-before-calling-binaryformatter-deserialize.md) help to ensure that the <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder> property is always set before deserializing.

## When to suppress warnings
Expand Down
9 changes: 6 additions & 3 deletions ...all-binaryformatter-deserialize-without-first-setting-binaryformatter-binder.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ dev_langs:
- VB
ms.workload:
- "multiple"
f1_keywords:
- "CA2301"
- "DoNotCallBinaryFormatterDeserializeWithoutFirstSettingBinaryFormatterBinder"
---
# CA2301: Do not call BinaryFormatter.Deserialize without first setting BinaryFormatter.Binder

Expand Down Expand Up @@ -37,10 +40,10 @@ This rule finds <xref:System.Runtime.Serialization.Formatters.Binary.BinaryForma
- <xref:System.Runtime.Serialization.Json.DataContractJsonSerializer?displayProperty=nameWithType>
- <xref:System.Web.Script.Serialization.JavaScriptSerializer?displayProperty=nameWithType> - Never use <xref:System.Web.Script.Serialization.SimpleTypeResolver?displayProperty=nameWithType>. If you must use a type resolver, restrict deserialized types to an expected list.
- <xref:System.Xml.Serialization.XmlSerializer?displayProperty=nameWithType>
- NewtonSoft Json.NET - Use TypeNameHandling.None. If you must use another value for TypeNameHandling, restrict deserialized types to an expected list with a custom ISerializationBinder.
- Newtonsoft Json.NET - Use TypeNameHandling.None. If you must use another value for TypeNameHandling, restrict deserialized types to an expected list with a custom ISerializationBinder.
- Protocol Buffers
- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed, and design for key rotations.
- Restrict deserialized types. Implement a custom <xref:System.Runtime.Serialization.SerializationBinder?displayProperty=nameWithType>. Before deserializing with <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter>, set the <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder> property to an instance of your custom <xref:System.Runtime.Serialization.SerializationBinder>. In the overridden <xref:System.Runtime.Serialization.SerializationBinder.BindToType%2A> method, if the type is unexpected then throw an exception.
- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
- Restrict deserialized types. Implement a custom <xref:System.Runtime.Serialization.SerializationBinder?displayProperty=nameWithType>. Before deserializing with <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter>, set the <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder> property to an instance of your custom <xref:System.Runtime.Serialization.SerializationBinder>. In the overridden <xref:System.Runtime.Serialization.SerializationBinder.BindToType%2A> method, if the type is unexpected, throw an exception.

## When to suppress warnings

Expand Down
9 changes: 6 additions & 3 deletions ...ure-binaryformatter-binder-is-set-before-calling-binaryformatter-deserialize.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ dev_langs:
- VB
ms.workload:
- "multiple"
f1_keywords:
- "CA2302"
- "EnsureBinaryFormatterBinderIsSetBeforeCallingBinaryFormatterDeserialize"
---
# CA2302: Ensure BinaryFormatter.Binder is set before calling BinaryFormatter.Deserialize

Expand Down Expand Up @@ -37,10 +40,10 @@ This rule finds <xref:System.Runtime.Serialization.Formatters.Binary.BinaryForma
- <xref:System.Runtime.Serialization.Json.DataContractJsonSerializer?displayProperty=nameWithType>
- <xref:System.Web.Script.Serialization.JavaScriptSerializer?displayProperty=nameWithType> - Never use <xref:System.Web.Script.Serialization.SimpleTypeResolver?displayProperty=nameWithType>. If you must use a type resolver, restrict deserialized types to an expected list.
- <xref:System.Xml.Serialization.XmlSerializer?displayProperty=nameWithType>
- NewtonSoft Json.NET - Use TypeNameHandling.None. If you must use another value for TypeNameHandling, restrict deserialized types to an expected list with a custom ISerializationBinder.
- Newtonsoft Json.NET - Use TypeNameHandling.None. If you must use another value for TypeNameHandling, restrict deserialized types to an expected list with a custom ISerializationBinder.
- Protocol Buffers
- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed, and design for key rotations.
- Restrict deserialized types. Implement a custom <xref:System.Runtime.Serialization.SerializationBinder?displayProperty=nameWithType>. Before deserializing with <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter>, set the <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder> property to an instance of your custom <xref:System.Runtime.Serialization.SerializationBinder>. In the overridden <xref:System.Runtime.Serialization.SerializationBinder.BindToType%2A> method, if the type is unexpected then throw an exception.
- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
- Restrict deserialized types. Implement a custom <xref:System.Runtime.Serialization.SerializationBinder?displayProperty=nameWithType>. Before deserializing with <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter>, set the <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder> property to an instance of your custom <xref:System.Runtime.Serialization.SerializationBinder>. In the overridden <xref:System.Runtime.Serialization.SerializationBinder.BindToType%2A> method, if the type is unexpected, throw an exception.
- Ensure that all code paths have the <xref:System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Binder> property set.

## When to suppress warnings
Expand Down
72 changes: 72 additions & 0 deletions docs/code-quality/ca2305-do-not-use-insecure-deserializer-losformatter.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
---
title: "CA2305: Do not use insecure deserializer LosFormatter"
ms.date: 05/01/2019
ms.topic: reference
author: dotpaul
ms.author: paulming
manager: jillfra
dev_langs:
- CSharp
- VB
ms.workload:
- "multiple"
f1_keywords:
- "CA2305"
- "DoNotUseInsecureDeserializerLosFormatter"
---
# CA2305: Do not use insecure deserializer LosFormatter

|||
|-|-|
|TypeName|DoNotUseInsecureDeserializerLosFormatter|
|CheckId|CA2305|
|Category|Microsoft.Security|
|Breaking Change|Non Breaking|

## Cause

A <xref:System.Web.UI.LosFormatter?displayProperty=nameWithType> deserialization method was called or referenced.

## Rule description

[!INCLUDE[insecure-deserializers-description](includes/insecure-deserializers-description-md.md)]

This rule finds <xref:System.Web.UI.LosFormatter?displayProperty=nameWithType> deserialization method calls or references.

## How to fix violations

[!INCLUDE[insecure-deserializers-fixes-for-always-insecure-deserializers](includes/insecure-deserializers-fixes-for-always-insecure-deserializers-md.md)]

## When to suppress warnings

[!INCLUDE[insecure-deserializers-common-safe-to-suppress](includes/insecure-deserializers-common-safe-to-suppress-md.md)]

## Pseudo-code examples

### Violation

```csharp
using System.IO;
using System.Web.UI;

public class ExampleClass
{
public object MyDeserialize(byte[] bytes)
{
LosFormatter formatter = new LosFormatter();
return formatter.Deserialize(new MemoryStream(bytes));
}
}
```

```vb
Imports System.IO
Imports System.Web.UI

Public Class ExampleClass
Public Function MyDeserialize(bytes As Byte()) As Object
Dim formatter As LosFormatter = New LosFormatter()
Return formatter.Deserialize(New MemoryStream(bytes))
End Function
End Class
```
87 changes: 87 additions & 0 deletions ...de-quality/ca2310-do-not-use-insecure-deserializer-netdatacontractserializer.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
---
title: "CA2310: Do not use insecure deserializer NetDataContractSerializer"
ms.date: 05/01/2019
ms.topic: reference
author: dotpaul
ms.author: paulming
manager: jillfra
dev_langs:
- CSharp
- VB
ms.workload:
- "multiple"
f1_keywords:
- "CA2310"
- "DoNotUseInsecureDeserializerNetDataContractSerializer"
---
# CA2310: Do not use insecure deserializer NetDataContractSerializer

|||
|-|-|
|TypeName|DoNotUseInsecureDeserializerNetDataContractSerializer|
|CheckId|CA2310|
|Category|Microsoft.Security|
|Breaking Change|Non Breaking|

## Cause

A <xref:System.Runtime.Serialization.NetDataContractSerializer?displayProperty=nameWithType> deserialization method was called or referenced.

## Rule description

[!INCLUDE[insecure-deserializers-description](includes/insecure-deserializers-description-md.md)]

This rule finds <xref:System.Runtime.Serialization.NetDataContractSerializer?displayProperty=nameWithType> deserialization method calls or references. If you want to deserialize only when the <xref:System.Runtime.Serialization.NetDataContractSerializer.Binder> property is set to restrict types, disable this rule and enable rules [CA2311](ca2311-do-not-deserialize-without-first-setting-netdatacontractserializer-binder.md) and [CA2312](ca2312-ensure-netdatacontractserializer-binder-is-set-before-deserializing.md) instead.

## How to fix violations

- If possible, use a secure serializer instead, and **don't allow an attacker to specify an arbitrary type to deserialize**. Some safer serializers include:
- <xref:System.Runtime.Serialization.DataContractSerializer?displayProperty=nameWithType>
- <xref:System.Runtime.Serialization.Json.DataContractJsonSerializer?displayProperty=nameWithType>
- <xref:System.Web.Script.Serialization.JavaScriptSerializer?displayProperty=nameWithType> - Never use <xref:System.Web.Script.Serialization.SimpleTypeResolver?displayProperty=nameWithType>. If you must use a type resolver, restrict deserialized types to an expected list.
- <xref:System.Xml.Serialization.XmlSerializer?displayProperty=nameWithType>
- Newtonsoft Json.NET - Use TypeNameHandling.None. If you must use another value for TypeNameHandling, restrict deserialized types to an expected list with a custom ISerializationBinder.
- Protocol Buffers
- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
- Restrict deserialized types. Implement a custom <xref:System.Runtime.Serialization.SerializationBinder?displayProperty=nameWithType>. Before deserializing with <xref:System.Runtime.Serialization.NetDataContractSerializer>, set the <xref:System.Runtime.Serialization.NetDataContractSerializer.Binder> property to an instance of your custom <xref:System.Runtime.Serialization.SerializationBinder>. In the overridden <xref:System.Runtime.Serialization.SerializationBinder.BindToType%2A> method, if the type is unexpected, throw an exception.
- If you restrict deserialized types, you may want to disable this rule and enable rules [CA2311](ca2311-do-not-deserialize-without-first-setting-netdatacontractserializer-binder.md) and [CA2312](ca2312-ensure-netdatacontractserializer-binder-is-set-before-deserializing.md). Rules [CA2311](ca2311-do-not-deserialize-without-first-setting-netdatacontractserializer-binder.md) and [CA2312](ca2312-ensure-netdatacontractserializer-binder-is-set-before-deserializing.md) help to ensure that the <xref:System.Runtime.Serialization.NetDataContractSerializer.Binder> property is always set before deserializing.

## When to suppress warnings

[!INCLUDE[insecure-deserializers-common-safe-to-suppress](includes/insecure-deserializers-common-safe-to-suppress-md.md)]

## Pseudo-code examples

### Violation

```csharp
using System.IO;
using System.Runtime.Serialization;

public class ExampleClass
{
public object MyDeserialize(byte[] bytes)
{
NetDataContractSerializer serializer = new NetDataContractSerializer();
return serializer.Deserialize(new MemoryStream(bytes));
}
}
```

```vb
Imports System.IO
Imports System.Runtime.Serialization

Public Class ExampleClass
Public Function MyDeserialize(bytes As Byte()) As Object
Dim serializer As NetDataContractSerializer = New NetDataContractSerializer()
Return serializer.Deserialize(New MemoryStream(bytes))
End Function
End Class
```

## Related rules

[CA2311: Do not deserialize without first setting NetDataContractSerializer.Binder](ca2311-do-not-deserialize-without-first-setting-netdatacontractserializer-binder.md)

[CA2312: Ensure NetDataContractSerializer.Binder is set before deserializing](ca2312-ensure-netdatacontractserializer-binder-is-set-before-deserializing.md)
Loading