Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
| Property | Value |
|---|---|
| Rule ID | CA5367 |
| Title | Do not serialize types with pointer fields |
| Category | Security |
| Fix is breaking or non-breaking | Non-breaking |
| Enabled by default in .NET 9 | No |
Pointers are not type safe, which means you cannot guarantee the correctness of the memory they point at. So, serializing types with pointer fields is a security risk, as it may allow an attacker to control the pointer.
This rule checks whether there’s a serializable class with a pointer field or property. Members that can’t be serialized can be a pointer, such as static members or fields marked with System.NonSerializedAttribute.
Don't use pointer types for members in a serializable class or don't serialize the members that are pointers.
Don't take the risk to use pointers in serializable types.
using System;
[Serializable()]
unsafe class TestClassA
{
private int* pointer;
}
using System;
[Serializable()]
unsafe class TestClassA
{
private int i;
}
using System;
[Serializable()]
unsafe class TestClassA
{
private static int* pointer;
}
Collaborate with us on GitHub
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.
.NET feedback
.NET is an open source project. Select a link to provide feedback: