Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, December 18, 2017 8:37 AM | 1 vote
Hi,
I have a generic deserialization code at my utility class. Below is the code sample. When we performed security scan on our code, we got the 'Deserialization of Untrusted Data' vulnerability at Line 3. The deserialization of xml file is seems to be pretty common. I am not sure how do we fix this issue. Can anyone guide me on this?
public static T DeserializeXmlFile<T>(string xmlFilePath)
{
try
{
XmlSerializer xs= GetSerializer(typeof(T)); //Line#1
FileStream fs= new FileStream(xmlFilePath, FileMode.Open); //Line#2
var result = (T)xs.Deserialize(fs); //Line #3
fs.Close(); //Line#4
return result; //Line#5
}
catch (Exception ex)
{
LogException("Deserialization exception");
return default(T);
}
}
Regards,
NAK
All replies (4)
Tuesday, December 19, 2017 7:14 AM
Hello NeelAK,
What do you mean the "performed security scan"? How to do the scan job? You code seems that has no problem with it and I can't see the any exception in Visual studio. Please provide more detailed information of your issues.
Best regards,
Neil Hu
MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact [email protected].
Tuesday, December 19, 2017 7:25 AM
Hi Neil Hu,
There is a security assessment scan done on the codebase using external agent and not within Visual Studio (There is no problem or issues when we run this code in Visual Studio). The scan basically checks for security vulnerabilities in the code. Following are the details of the vulnerability,
Deserialization of Untrusted Data - The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
It is often convenient to serialize objects for communication or to save them for later
use. However, deserialized data or code can often be modified without using the
provided accessor functions if it does not use cryptography to protect itself.
Furthermore, any cryptography would still be client-side security -- which is a
dangerous security assumption.
Data that is untrusted can not be trusted to be well-formed.
You can also find more details of this in wiki - https://www.owasp.org/index.php/Deserialization_of_untrusted_data
I am not sure how do we fix this for our scenario.
Regards,
NeelAK
Tuesday, December 19, 2017 8:44 AM
Hello NeelAK,
>>Fix for Deserialization of Untrusted Data
I'm sorry that I don't have enough knowledge about principle of deserialization. As far as I know, The security deserialization job could be separated into two parts. The most simple part is that verify the file to ensure the file is trusted. The implement approach could use symmetric encryption algorithm like AES,Rijandel to encrypt file that contains identification, The identification could be the MAC address that the xml file is generated by which computer. The second part is the most difficult point, because you will consider amount of situations. The attacker always attack from a place you can't think of. There is a good post that has the same situations as yours.
The D.W has list some options in handing untrusted data, which includes deserialization attack principle and deserialization mechanism. This will provide some good advice to you.
Hope this would be helpful.
Best regards,
Neil Hu
Note: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; Therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.
MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact [email protected].
Wednesday, June 19, 2019 12:15 PM
Hi NAK,
Where you able to fix it? Or have any documentation?
Federico Navarrete