Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix git push error for protected CLA branch #5653

Merged
merged 33 commits into from
Jul 31, 2020
Merged

Fix git push error for protected CLA branch #5653

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
b0f23f6
Binary formatter not secure
Rick-Anderson Jul 14, 2020
cc778eb
includes
Rick-Anderson Jul 14, 2020
0bf526e
ca files
Rick-Anderson Jul 14, 2020
ded0cc8
ca files
Rick-Anderson Jul 14, 2020
2d25aca
ca files
Rick-Anderson Jul 15, 2020
452cc4c
ca files
Rick-Anderson Jul 15, 2020
e6641f3
add warning
Rick-Anderson Jul 27, 2020
3c23c5c
add warning
Rick-Anderson Jul 27, 2020
25d26b4
add warning
Rick-Anderson Jul 27, 2020
6fef8c5
Apply suggestions from code review
Rick-Anderson Jul 27, 2020
dc1d913
react to feedback
Rick-Anderson Jul 27, 2020
91d8617
react to feedback
Rick-Anderson Jul 27, 2020
023e1e6
react to feedback
Rick-Anderson Jul 27, 2020
320a0b3
Update docs/code-quality/ca2301.md
Rick-Anderson Jul 27, 2020
084d03b
react to feedback
Rick-Anderson Jul 27, 2020
27503ca
react to feedback
Rick-Anderson Jul 27, 2020
fcc8bf3
react to feedback
Rick-Anderson Jul 27, 2020
e44cc3f
react to feedback
Rick-Anderson Jul 27, 2020
c90832b
Apply suggestions from code review
Rick-Anderson Jul 27, 2020
b7d2d0a
react to feedback
Rick-Anderson Jul 27, 2020
7ebbcf8
Apply suggestions from code review
Rick-Anderson Jul 29, 2020
f5259b1
Bump VSTU changelog to 4.7.1.0
sailro Jul 30, 2020
9ac1e57
Bump VSTU changelog to 2.7.1.0
sailro Jul 30, 2020
5457554
Update change-log-visual-studio-tools-for-unity-mac.md
sailro Jul 30, 2020
6b26230
Update change-log-visual-studio-tools-for-unity.md
sailro Jul 30, 2020
b806c5c
Update docs/code-quality/ca2305.md
Rick-Anderson Jul 31, 2020
70a5671
react to feedback
Rick-Anderson Jul 31, 2020
bd39af9
Merge pull request #6939 from sailro/patch-22
PRMerger13 Jul 31, 2020
1034047
Merge pull request #6940 from sailro/patch-23
PRMerger14 Jul 31, 2020
e0d2f67
fixed doc example
mikadumont Jul 31, 2020
074ff1b
Merge pull request #6942 from mikadumont/master
Jak-MS Jul 31, 2020
43df639
Merge pull request #6862 from Rick-Anderson/patch-1
megvanhuygen Jul 31, 2020
628c1f1
Merging changes synced from https://github.com/MicrosoftDocs/visualst…
ghogen Jul 31, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
ca files
  • Loading branch information
@Rick-Anderson
Rick-Anderson committed Jul 15, 2020
commit 2d25aca4bc0927259e7fa28504b6ff4daf52fe30
6 changes: 4 additions & 2 deletions docs/code-quality/ca2305.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,13 +32,15 @@ A <xref:System.Web.UI.LosFormatter?displayProperty=nameWithType> deserialization

This rule finds <xref:System.Web.UI.LosFormatter?displayProperty=nameWithType> deserialization method calls or references.

[!INCLUDE[binaryformatter](includes/binaryformatter.md)]

## How to fix violations

[!INCLUDE[insecure-deserializers-fixes-for-always-insecure-deserializers](includes/insecure-deserializers-fixes-for-always-insecure-deserializers-md.md)]
[!INCLUDE[fix-binaryformatter](includes/fix-binaryformatter.md)]

## When to suppress warnings

[!INCLUDE[insecure-deserializers-common-safe-to-suppress](includes/insecure-deserializers-common-safe-to-suppress-md.md)]
[!INCLUDE[cannot-secure-binaryformatter](includes/cannot-secure-binaryformatter.md)]

## Pseudo-code examples

Expand Down
15 changes: 4 additions & 11 deletions docs/code-quality/ca2310.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,22 +32,15 @@ A <xref:System.Runtime.Serialization.NetDataContractSerializer?displayProperty=n

This rule finds <xref:System.Runtime.Serialization.NetDataContractSerializer?displayProperty=nameWithType> deserialization method calls or references. If you want to deserialize only when the <xref:System.Runtime.Serialization.NetDataContractSerializer.Binder> property is set to restrict types, disable this rule and enable rules [CA2311](ca2311.md) and [CA2312](ca2312.md) instead.

[!INCLUDE[binaryformatter](includes/binaryformatter.md)]

## How to fix violations

- If possible, use a secure serializer instead, and **don't allow an attacker to specify an arbitrary type to deserialize**. Some safer serializers include:
- <xref:System.Runtime.Serialization.DataContractSerializer?displayProperty=nameWithType>
- <xref:System.Runtime.Serialization.Json.DataContractJsonSerializer?displayProperty=nameWithType>
- <xref:System.Web.Script.Serialization.JavaScriptSerializer?displayProperty=nameWithType> - Never use <xref:System.Web.Script.Serialization.SimpleTypeResolver?displayProperty=nameWithType>. If you must use a type resolver, restrict deserialized types to an expected list.
- <xref:System.Xml.Serialization.XmlSerializer?displayProperty=nameWithType>
- Newtonsoft Json.NET - Use TypeNameHandling.None. If you must use another value for TypeNameHandling, restrict deserialized types to an expected list with a custom ISerializationBinder.
- Protocol Buffers
- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
- Restrict deserialized types. Implement a custom <xref:System.Runtime.Serialization.SerializationBinder?displayProperty=nameWithType>. Before deserializing with <xref:System.Runtime.Serialization.NetDataContractSerializer>, set the <xref:System.Runtime.Serialization.NetDataContractSerializer.Binder> property to an instance of your custom <xref:System.Runtime.Serialization.SerializationBinder>. In the overridden <xref:System.Runtime.Serialization.SerializationBinder.BindToType%2A> method, if the type is unexpected, throw an exception to stop deserialization.
- If you restrict deserialized types, you may want to disable this rule and enable rules [CA2311](ca2311.md) and [CA2312](ca2312.md). Rules [CA2311](ca2311.md) and [CA2312](ca2312.md) help to ensure that the <xref:System.Runtime.Serialization.NetDataContractSerializer.Binder> property is always set before deserializing.
[!INCLUDE[fix-binaryformatter](includes/fix-binaryformatter.md)]

## When to suppress warnings

[!INCLUDE[insecure-deserializers-common-safe-to-suppress](includes/insecure-deserializers-common-safe-to-suppress-md.md)]
[!INCLUDE[cannot-secure-binaryformatter](includes/cannot-secure-binaryformatter.md)]

## Pseudo-code examples

Expand Down
14 changes: 4 additions & 10 deletions docs/code-quality/ca2311.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,21 +34,15 @@ By default, this rule analyzes the entire codebase, but this is [configurable](#

This rule finds <xref:System.Runtime.Serialization.NetDataContractSerializer?displayProperty=nameWithType> deserialization method calls or references, when <xref:System.Runtime.Serialization.NetDataContractSerializer> doesn't have its <xref:System.Runtime.Serialization.NetDataContractSerializer.Binder> set. If you want to disallow any deserialization with <xref:System.Runtime.Serialization.NetDataContractSerializer> regardless of the <xref:System.Runtime.Serialization.NetDataContractSerializer.Binder> property, disable this rule and [CA2312](ca2312.md), and enable rule [CA2310](ca2310.md).

`NetDataContractSerializer` is insecure and cannot be made secure. For more information, see the [BinaryFormatter security guide](/dotnet/standard/serialization/binaryformatter-security-guide).

## How to fix violations

- If possible, use a secure serializer instead, and **don't allow an attacker to specify an arbitrary type to deserialize**. Some safer serializers include:
- <xref:System.Runtime.Serialization.DataContractSerializer?displayProperty=nameWithType>
- <xref:System.Runtime.Serialization.Json.DataContractJsonSerializer?displayProperty=nameWithType>
- <xref:System.Web.Script.Serialization.JavaScriptSerializer?displayProperty=nameWithType> - Never use <xref:System.Web.Script.Serialization.SimpleTypeResolver?displayProperty=nameWithType>. If you must use a type resolver, restrict deserialized types to an expected list.
- <xref:System.Xml.Serialization.XmlSerializer?displayProperty=nameWithType>
- Newtonsoft Json.NET - Use TypeNameHandling.None. If you must use another value for TypeNameHandling, restrict deserialized types to an expected list with a custom ISerializationBinder.
- Protocol Buffers
- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
- Restrict deserialized types. Implement a custom <xref:System.Runtime.Serialization.SerializationBinder?displayProperty=nameWithType>. Before deserializing with <xref:System.Runtime.Serialization.NetDataContractSerializer>, set the <xref:System.Runtime.Serialization.NetDataContractSerializer.Binder> property to an instance of your custom <xref:System.Runtime.Serialization.SerializationBinder>. In the overridden <xref:System.Runtime.Serialization.SerializationBinder.BindToType%2A> method, if the type is unexpected, throw an exception to stop deserialization.
[!INCLUDE[fix-binaryformatter](includes/fix-binaryformatter.md)]

## When to suppress warnings

[!INCLUDE[insecure-deserializers-common-safe-to-suppress](includes/insecure-deserializers-common-safe-to-suppress-md.md)]
`NetDataContractSerializer` is insecure and cannot be made secure.

## Configurability

Expand Down
15 changes: 4 additions & 11 deletions docs/code-quality/ca2312.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,22 +36,15 @@ By default, this rule analyzes the entire codebase, but this is [configurable](#

This rule finds <xref:System.Runtime.Serialization.NetDataContractSerializer?displayProperty=nameWithType> deserialization method calls or references when the <xref:System.Runtime.Serialization.NetDataContractSerializer.Binder> might be null. If you want to disallow any deserialization with <xref:System.Runtime.Serialization.NetDataContractSerializer> regardless of the <xref:System.Runtime.Serialization.NetDataContractSerializer.Binder> property, disable this rule and [CA2311](ca2311.md), and enable rule [CA2310](ca2310.md).

`NetDataContractSerializer` is insecure and cannot be made secure. For more information, see the [BinaryFormatter security guide](/dotnet/standard/serialization/binaryformatter-security-guide).

## How to fix violations

- If possible, use a secure serializer instead, and **don't allow an attacker to specify an arbitrary type to deserialize**. Some safer serializers include:
- <xref:System.Runtime.Serialization.DataContractSerializer?displayProperty=nameWithType>
- <xref:System.Runtime.Serialization.Json.DataContractJsonSerializer?displayProperty=nameWithType>
- <xref:System.Web.Script.Serialization.JavaScriptSerializer?displayProperty=nameWithType> - Never use <xref:System.Web.Script.Serialization.SimpleTypeResolver?displayProperty=nameWithType>. If you must use a type resolver, restrict deserialized types to an expected list.
- <xref:System.Xml.Serialization.XmlSerializer?displayProperty=nameWithType>
- Newtonsoft Json.NET - Use TypeNameHandling.None. If you must use another value for TypeNameHandling, restrict deserialized types to an expected list with a custom ISerializationBinder.
- Protocol Buffers
- Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.
- Restrict deserialized types. Implement a custom <xref:System.Runtime.Serialization.SerializationBinder?displayProperty=nameWithType>. Before deserializing with <xref:System.Runtime.Serialization.NetDataContractSerializer>, set the <xref:System.Runtime.Serialization.NetDataContractSerializer.Binder> property to an instance of your custom <xref:System.Runtime.Serialization.SerializationBinder>. In the overridden <xref:System.Runtime.Serialization.SerializationBinder.BindToType%2A> method, if the type is unexpected, throw an exception to stop deserialization.
- Ensure that all code paths have the <xref:System.Runtime.Serialization.NetDataContractSerializer.Binder> property set.
[!INCLUDE[fix-binaryformatter](includes/fix-binaryformatter.md)]

## When to suppress warnings

[!INCLUDE[insecure-deserializers-common-safe-to-suppress](includes/insecure-deserializers-common-safe-to-suppress-md.md)]
`NetDataContractSerializer` is insecure and cannot be made secure.

## Configurability

Expand Down