- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: csharp-security/avoid-binary-formatter
Language: C#
Severity: Error
Category: Security
CWE: 502
This rule prevents the usage of BinaryFormatter
for serialization due to its inherent security vulnerabilities. BinaryFormatter
has been found to be susceptible to deserialization attacks, where a malicious actor can control the input to the deserialization operation and exploit this to execute arbitrary code, manipulate program execution, or induce application crashes.
This security risk makes it crucial to avoid BinaryFormatter
. Instead, opt for safer alternatives for serialization and deserialization. An alternative is System.Text.Json
, which is not only secure, but also offers better performance. Additional alternatives include DataContractSerializer
, MessagePack
, and protobuf-net
.
using System;
using System.IO;
using System.Runtime.Serialization.Formatters.Binary;
[Serializable]
public class User
{
public string Username { get; set; }
public string Password { get; set; }
}
class Program
{
static void Main(string[] args)
{
// Serializing the object
User user = new User { Username = "admin", Password = "password123" };
BinaryFormatter formatter = new BinaryFormatter();
using (FileStream stream = new FileStream("user.dat", FileMode.Create))
{
formatter.Serialize(stream, user);
}
// Deserializing the object
using (FileStream stream = new FileStream("user.dat", FileMode.Open))
{
User deserializedUser = (User)formatter.Deserialize(stream);
Console.WriteLine($"Username: {deserializedUser.Username}, Password: {deserializedUser.Password}");
}
}
}
using System;
using System.IO;
using System.Text.Json;
[Serializable]
public class User
{
public string Username { get; set; }
public string Password { get; set; }
}
class Program
{
static void Main(string[] args)
{
// Serializing the object
User user = new User { Username = "admin", Password = "password123" };
var options = new JsonSerializerOptions { WriteIndented = true };
string jsonString = JsonSerializer.Serialize(user, options);
File.WriteAllText("user.json", jsonString);
// Deserializing the object
string readJsonString = File.ReadAllText("user.json");
User deserializedUser = JsonSerializer.Deserialize<User>(readJsonString);
Console.WriteLine($"Username: {deserializedUser.Username}, Password: {deserializedUser.Password}");
}
}