Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
GitHub Actions
Go
HTML
Java
JavaScript
JSON
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Rust
Scala
Shell
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML
YAML

C# static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your C# code

Tags

Impact

Clean code attribute

Parameter names should match base declaration and other partial definitions
Code Smell
"goto" statement should not be used
Code Smell
Increment (++) and decrement (--) operators should not be used in a method call or mixed with other operators in an expression
Code Smell
Literal suffixes should be upper case
Code Smell
XSLT Transformations should not be vulnerable to injection attacks
Vulnerability
Locks should be released within the same method
Bug
A write lock should not be released when a read lock has been acquired and vice versa
Bug
First/Single should be used instead of FirstOrDefault/SingleOrDefault on collections that are known to be non-empty
Code Smell
Server-side requests should not be vulnerable to traversing attacks
Vulnerability
Content Security Policies should be restrictive
Vulnerability
Actions that return a value should be annotated with ProducesResponseTypeAttribute containing the return type
Code Smell
ModelState.IsValid should be called in controller actions
Code Smell
Awaitable method should be used
Code Smell
REST API actions should be annotated with an HTTP verb attribute
Code Smell
Value type property used as input in a controller action should be nullable, required or annotated with the JsonRequiredAttribute to avoid under-posting.
Code Smell
You should pool HTTP connections with HttpClientFactory
Code Smell
API Controllers should derive from ControllerBase instead of Controller
Code Smell
Controllers should not have mixed responsibilities
Code Smell
A Route attribute should be added to the controller when a route template is specified at the action level
Code Smell
Use model binding instead of reading raw request data
Code Smell
ASP.NET controller actions should not have a route template starting with "/"
Code Smell
Backslash should be avoided in route templates
Bug
Parameters with SupplyParameterFromQuery attribute should be used only in routable components
Code Smell
Using lambda expressions in loops should be avoided in Blazor markup section
Code Smell
Component parameter type should match the route parameter type constraint
Bug
[JSInvokable] attribute should only be used on public methods
Bug
Blazor query parameter type should be supported
Bug
JWT secret keys should not be disclosed
Vulnerability
Stack traces should not be disclosed
Vulnerability
Loop boundaries should not be vulnerable to injection attacks
Vulnerability
Use PascalCase for named placeholders
Code Smell
Message template placeholders should be unique
Bug
"Trace.WriteLineIf" should not be used with "TraceSwitch" levels
Code Smell
Log message template should be syntactically correct
Bug
Log message template placeholders should be in the right order
Code Smell
Generic logger injection should match enclosing type
Code Smell
"Trace.Write" and "Trace.WriteLine" should not be used
Code Smell
Logger field or property name should comply with a naming convention
Code Smell
Logging arguments should be passed to the correct parameter
Code Smell
Logging in a catch clause should pass the caught exception as a parameter.
Code Smell
The code block contains too many logging calls
Code Smell
Connection strings should not be vulnerable to injections attacks
Vulnerability
Using unsafe code blocks is security-sensitive
Security Hotspot
Memory allocations should not be vulnerable to Denial of Service attacks
Vulnerability
"string.Create" should be used instead of "FormattableString"
Code Smell
"Contains" should be used instead of "Any" for simple equality checks
Code Smell
"First" and "Last" properties of "LinkedList" should be used instead of the "First()" and "Last()" extension methods
Code Smell
The lambda parameter should be used instead of capturing arguments in "ConcurrentDictionary" methods
Code Smell
"StartsWith" and "EndsWith" overloads that take a "char" should be used instead of the ones that take a "string"
Code Smell
"Min/Max" properties of "Set" types should be used instead of the "Enumerable" extension methods
Code Smell
Prefer indexing instead of "Enumerable" methods on types implementing "IList"
Code Smell
The collection should be filtered before sorting by using "Where" before "OrderBy"
Code Smell
Collection-specific "Exists" method should be used instead of the "Any" extension
Code Smell
The collection-specific "TrueForAll" method should be used instead of the "All" extension
Code Smell
"Find" method should be used instead of the "FirstOrDefault" extension
Code Smell
Use the "UnixEpoch" field instead of creating "DateTime" instances that point to the beginning of the Unix epoch
Code Smell
Don't hardcode the format when turning dates and times to strings
Code Smell
Use a format provider when parsing date and time
Code Smell
Use "TimeZoneInfo.FindSystemTimeZoneById" without converting the timezones with "TimezoneConverter"
Code Smell
Use "DateTimeOffset" instead of "DateTime"
Code Smell
Use UTC when recording DateTime instants
Code Smell
Always set the "DateTimeKind" when creating new "DateTime" instances
Code Smell
Avoid using "DateTime.Now" for benchmarking or timing operations
Code Smell
Accessing files should not lead to filesystem oracle attacks
Vulnerability
Environment variables should not be defined from untrusted input
Vulnerability
"ExcludeFromCodeCoverage" attributes should include a justification
Code Smell
Blocks should not be synchronized on local variables
Bug
Not specifying a timeout for regular expressions is security-sensitive
Security Hotspot
Interfaces for durable entities should satisfy the restrictions
Code Smell
Azure Functions should log all failures
Code Smell
Calls to "async" methods should not be blocking in Azure Functions
Code Smell
Azure Functions should use Structured Error Handling
Code Smell
Client instances should not be recreated on each Azure Function invocation
Code Smell
Azure Functions should be stateless
Code Smell
Hard-coded secrets are security-sensitive
Security Hotspot
XML operations should not be vulnerable to injection attacks
Vulnerability
XML signatures should be validated securely
Vulnerability
Use a testable date/time provider
Code Smell
Constructing arguments of system commands from user input is security-sensitive
Security Hotspot
Applications should not create session cookies from untrusted input
Vulnerability
Reflection should not be vulnerable to injection attacks
Vulnerability
Extracting archives should not lead to zip slip vulnerabilities
Vulnerability
OS commands should not be vulnerable to argument injection attacks
Vulnerability
Regular expressions should be syntactically valid
Bug
Types allowed to be deserialized should be restricted
Vulnerability
Creating Serializable objects without data validation checks is security-sensitive
Security Hotspot
Disabling ASP.NET "Request Validation" feature is security-sensitive
Security Hotspot
Allowing requests with excessive content length is security-sensitive
Security Hotspot
JWT should be signed and verified with strong cipher algorithms
Vulnerability
Cipher algorithms should be robust
Vulnerability
Encryption algorithms should be used with secure mode and padding scheme
Vulnerability
Insecure temporary file creation methods should not be used
Vulnerability
Using publicly writable directories is security-sensitive
Security Hotspot
Passwords should not be stored in plaintext or with a fast hashing algorithm
Vulnerability
Dynamic code execution should not be vulnerable to injection attacks
Vulnerability
Using clear-text protocols is security-sensitive
Security Hotspot
NoSQL operations should not be vulnerable to injection attacks
Vulnerability
HTTP request redirections should not be open to forging attacks
Vulnerability
Logging should not be vulnerable to injection attacks
Vulnerability
Server-side requests should not be vulnerable to forging attacks
Vulnerability
Deserialization should not be vulnerable to injection attacks
Vulnerability
Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks
Vulnerability
Having a permissive Cross-Origin Resource Sharing policy is security-sensitive
Security Hotspot
Expanding archive files without controlling resource consumption is security-sensitive
Security Hotspot
"ValueTask" should be consumed correctly
Code Smell
Server certificates should be verified during SSL/TLS connections
Vulnerability
Configuring loggers is security-sensitive
Security Hotspot
Using weak hashing algorithms is security-sensitive
Security Hotspot
Comments should not be empty
Code Smell
Start index should be used instead of calling Substring
Code Smell
Non-async "Task/Task<T>" methods should not return null
Bug
Calls to delegate's method "BeginInvoke" should be paired with calls to "EndInvoke"
Bug
"new Guid()" should not be used
Code Smell
"DebuggerDisplayAttribute" strings should reference existing members
Code Smell
"default" clauses should be first or last
Code Smell
Delivering code in production with debug features activated is security-sensitive
Security Hotspot
Disabling CSRF protections is security-sensitive
Security Hotspot
Unread "private" fields should be removed
Code Smell
Calls to "async" methods should not be blocking
Code Smell
Parameter validation in "async"/"await" methods should be wrapped
Code Smell
Parameter validation in yielding methods should be wrapped
Code Smell
LDAP connections should be authenticated
Vulnerability
"PartCreationPolicyAttribute" should be used with "ExportAttribute"
Bug
Cryptographic keys should be robust
Vulnerability
Weak SSL/TLS protocols should not be used
Vulnerability
Secure random number generators should not output predictable values
Vulnerability
"Shared" parts should not be created with "new"
Bug
Getters and setters should access the expected fields
Bug
Methods should be named according to their synchronicities
Code Smell
"ConstructorArgument" parameters should exist in constructors
Bug
Extensions should be in separate namespaces
Code Smell
Extension methods should not extend "object"
Code Smell
Events should have proper arguments
Code Smell
"P/Invoke" methods should not be visible
Code Smell
Serialization constructors should be secured
Vulnerability
Members should not have conflicting transparency annotations
Vulnerability
Windows Forms entry points should be marked with STAThread
Bug
Null checks should not be combined with "is" operator checks
Code Smell
Native methods should be wrapped
Code Smell
Classes should implement their "ExportAttribute" interfaces
Bug
Empty collections should not be accessed or iterated
Bug
Methods should not have identical implementations
Code Smell
Collection elements should not be replaced unconditionally
Bug
Method overloads should be grouped together
Code Smell
Non-flags enums should not be marked with "FlagsAttribute"
Code Smell
Operator overloads should have named alternatives
Code Smell
"params" should be used instead of "varargs"
Code Smell
Non-abstract attributes should be sealed
Code Smell
Property names should not match get methods
Code Smell
Overloads with a "StringComparison" parameter should be used
Code Smell
Locales should be set for data types
Code Smell
Overloads with a "CultureInfo" or an "IFormatProvider" parameter should be used
Code Smell
Literals should not be passed as localized parameters
Code Smell
Types should not extend outdated base types
Code Smell
Operators should be overloaded consistently
Code Smell
Properties should be preferred
Code Smell
Generics should be used when appropriate
Code Smell
Type names should not match namespaces
Code Smell
Strings should be normalized to uppercase
Code Smell
Interface methods should be callable by derived types
Code Smell
Searching OS commands in PATH is security-sensitive
Security Hotspot
Classes implementing "IEquatable<T>" should be sealed
Code Smell
Exceptions should provide standard constructors
Code Smell
Assemblies should be marked with "NeutralResourcesLanguageAttribute"
Code Smell
Child class fields should not differ from parent class fields only by capitalization
Code Smell
Interfaces should not be empty
Code Smell
Enumerations should have "Int32" storage
Code Smell
Base class methods should not be hidden
Code Smell
All type parameters should be used in the parameter list to enable type inference
Code Smell
Method signatures should not contain nested generic types
Code Smell
Enumeration members should not be named "Reserved"
Code Smell
Inherited member visibility should not be decreased
Code Smell
"System.Uri" arguments should be used instead of strings
Code Smell
Collection properties should be readonly
Code Smell
Disposable types should declare finalizers
Code Smell
Pointers to unmanaged memory should not be visible
Code Smell
Threads should not lock on objects with weak identity
Code Smell
String URI overloads should call "System.Uri" overloads
Code Smell
URI properties should not be strings
Code Smell
URI return values should not be strings
Code Smell
URI Parameters should not be strings
Code Smell
Custom attributes should be marked with "System.AttributeUsageAttribute"
Code Smell
Assemblies should explicitly specify COM visibility
Code Smell
Assemblies should be marked as CLS compliant
Code Smell
Exceptions should not be created without being thrown
Bug
Collection sizes and array length comparisons should make sense
Bug
A conditionally executed single line should be denoted by indentation
Code Smell
Conditionals should start on new lines
Code Smell
"GC.SuppressFinalize" should not be called
Code Smell
Multidimensional arrays should not be used
Code Smell
Objects should not be disposed more than once
Code Smell
"static" fields should be initialized inline
Code Smell
"static readonly" constants should be "const" instead
Code Smell
"Generic.List" instances should not be part of public APIs
Code Smell
Calculations should not overflow
Bug
Number patterns should be regular
Code Smell
Parameter names used into ArgumentException constructors should match an existing one
Code Smell
Serialization event handlers should be implemented correctly
Bug
Deserialization methods should be provided for "OptionalField" members
Bug
"ISerializable" should be implemented correctly
Code Smell
All branches in a conditional structure should not have exactly the same implementation
Bug
Collections should implement the generic interface
Code Smell
Generic event handlers should be used
Code Smell
Event Handlers should have the correct signature
Code Smell
Assemblies should have version information
Code Smell
Types should be defined in named namespaces
Bug
"Assembly.GetExecutingAssembly" should not be called
Code Smell
Arguments of public methods should be validated against null
Code Smell
Value types should implement "IEquatable<T>"
Code Smell
Classes that provide "Equals(<T>)" should implement "IEquatable<T>"
Code Smell
"Thread.Resume" and "Thread.Suspend" should not be used
Bug
Mutable, non-private fields should not be "readonly"
Bug
"Assembly.Load" should be used
Code Smell
"CoSetProxyBlanket" and "CoInitializeSecurity" should not be used
Vulnerability
"IDisposable" should be implemented correctly
Code Smell
Finalizers should not be empty
Code Smell
Arrays should not be created for params parameters
Code Smell
Exceptions should not be thrown from unexpected methods
Code Smell
Strings or integral types should be used for indexers
Code Smell
"operator==" should not be overloaded on reference types
Code Smell
"out" and "ref" parameters should not be used
Code Smell
Parameter names should not duplicate the names of their methods
Code Smell
Exception types should be "public"
Code Smell
"SafeHandle.DangerousGetHandle" should not be called
Bug
Cognitive Complexity of methods should not be too high
Code Smell
Track use of "NotImplementedException"
Code Smell
Empty nullable value should not be accessed
Bug
Database queries should not be vulnerable to injection attacks
Vulnerability
Jump statements should not be redundant
Code Smell
Nullable type comparison should not be redundant
Bug
Member initializer values should not be redundant
Code Smell
Methods with "Pure" attribute should return a value
Bug
"params" should not be introduced on overrides
Code Smell
One-way "OperationContract" methods should have "void" return type
Bug
"ServiceContract" and "OperationContract" attributes should be used together
Code Smell
Empty "default" clauses should be removed
Code Smell
Optional parameters should be passed to "base" calls
Bug
Type inheritance should not be recursive
Bug
Unassigned members should be removed
Code Smell
Empty "case" clauses that fall through to the "default" should be omitted
Code Smell
Composite format strings should be used correctly
Code Smell
"string.ToCharArray()" and "ReadOnlySpan<T>.ToArray()" should not be called redundantly
Bug
Classes should not have only "private" constructors
Bug
"[DefaultValue]" should not be used when "[DefaultParameterValue]" is meant
Code Smell
Parameters with "[DefaultParameterValue]" attributes should also be marked "[Optional]"
Code Smell
Right operands of shift operators should be integers
Bug
"[Optional]" should not be used on "ref" or "out" parameters
Code Smell
Exceptions should not be explicitly rethrown
Code Smell
Interfaces should not simply inherit from base interfaces with colliding members
Code Smell
Type should not be examined on "System.Type" instances
Code Smell
"abstract" classes should not have "public" constructors
Code Smell
Redundant property names should be omitted in anonymous classes
Code Smell
Variables should not be checked against the values they're about to be assigned
Code Smell
Test method signatures should be correct
Code Smell
"[ExpectedException]" should not be used
Code Smell
Method overloads with default parameter values should not overlap
Code Smell
Loggers should be named for their enclosing types
Code Smell
Assertion arguments should be passed in the correct order
Code Smell
Methods should not return constants
Code Smell
"private" methods called only by inner classes should be moved to those classes
Code Smell
"base.Equals" should not be used to check for reference equality in "Equals" if "base" is not "object"
Bug
Attribute, EventArgs, and Exception type names should end with the type being extended
Code Smell
"this" should not be exposed from constructors
Code Smell
Date and time should not be used as a type for primary keys
Bug
Ternary operators should not be nested
Code Smell
Unchanged variables should be marked as "const"
Code Smell
Expressions used in "Debug.Assert" should not produce side effects
Bug
Caller information parameters should come at the end of the parameter list
Bug
Creating cookies without the "HttpOnly" flag is security-sensitive
Security Hotspot
Cipher Block Chaining IVs should be unpredictable
Vulnerability
Loops should be simplified with "LINQ" expressions
Code Smell
Non-flags enums should not be used in bitwise operations
Code Smell
Events should be invoked
Code Smell
Static fields should appear in the order they must be initialized
Bug
"params" should be used on overrides
Code Smell
Namespaces should not be empty
Code Smell
Non-derived "private" classes and records should be "sealed"
Code Smell
Declarations and initializations should be as concise as possible
Code Smell
"string.IsNullOrEmpty" should be used
Code Smell
Default parameter values should not be passed as arguments
Code Smell
Constructor and destructor declarations should not be redundant
Code Smell
Implementations should be provided for "partial" methods
Code Smell
Classes directly extending "object" should not call "base" in "GetHashCode" or "Equals"
Bug
Duplicate casts should not be made
Code Smell
Generic type parameters should be co/contravariant when possible
Code Smell
Anonymous delegates should not be used to unsubscribe from Events
Bug
Method parameters should be declared with base types
Code Smell
Methods should not return values that are never used
Code Smell
The simplest possible condition syntax should be used
Code Smell
"value" contextual keyword should be used
Code Smell
Caller information arguments should not be provided explicitly
Code Smell
Redundant parentheses should not be used
Code Smell
"GC.SuppressFinalize" should not be invoked for types without destructors
Code Smell
Method calls should not resolve ambiguously to overloads with "params"
Code Smell
Inner class members should not shadow outer class "static" or type members
Code Smell
"Explicit" conversions of "foreach" loops should not be used
Code Smell
"ConfigureAwait(false)" should be used
Code Smell
"interface" instances should not be cast to concrete types
Code Smell
Delegates should not be subtracted
Bug
Multiple "OrderBy" calls should not be used
Code Smell
"async" methods should not return "void"
Bug
"StringBuilder" data should be used
Code Smell
"is" should not be used with "this"
Code Smell
Types should not have members with visibility set higher than the type's visibility
Code Smell
Members should not be initialized to default values
Code Smell
Reflection should not be used to increase accessibility of classes, methods, or fields
Code Smell
Static fields should not be updated in constructors
Code Smell
"ThreadStatic" should not be used on non-static fields
Bug
"IDisposables" created in a "using" statement should not be returned
Bug
"ThreadStatic" fields should not be initialized
Bug
"Object.ReferenceEquals" should not be used for value types
Bug
LINQ expressions should be simplified
Code Smell
Assertions should be complete
Code Smell
Generic parameters not constrained to reference types should not be compared to "null"
Bug
Methods named "Dispose" should implement "IDisposable.Dispose"
Code Smell
Classes should "Dispose" of members from the classes' own "Dispose" methods
Bug
Property assignments should not be made for "readonly" fields not constrained to reference types
Bug
Fields that are only assigned in the constructor should be "readonly"
Code Smell
Classes with "IDisposable" members should implement "IDisposable"
Bug
"IDisposables" should be disposed
Bug
"Thread.Sleep" should not be used in tests
Code Smell
SQL keywords should be delimited by whitespace
Bug
Doubled prefix operators "!!" and "~~" should not be used
Bug
Sequential tests should not check the same condition
Code Smell
Non-existent operators like "=+" should not be used
Bug
XML parsers should not be vulnerable to XXE attacks
Vulnerability
Static fields should not be used in generic types
Code Smell
"catch" clauses should do more than rethrow
Code Smell
Literal boolean values should not be used in assertions
Code Smell
Tests should include assertions
Code Smell
Instance members should not write to "static" fields
Code Smell
"IndexOf" checks should not be for positive numbers
Code Smell
"NaN" should not be used in comparisons
Bug
Multiline blocks should be enclosed in curly braces
Code Smell
The length returned from a stream read should be checked
Bug
Regular expressions should not be vulnerable to Denial of Service attacks
Vulnerability
Logging templates should be constant
Code Smell
Setting loose file permissions is security-sensitive
Security Hotspot
Boolean expressions should not be gratuitous
Code Smell
Conditionally executed code should be reachable
Bug
Shared resources should not be used for locking
Bug
Generic exceptions should not be ignored
Code Smell
Whitespace and control characters in string literals should be explicit
Code Smell
Blocks should be synchronized on read-only fields
Bug
Unnecessary bit operations should not be performed
Code Smell
Types and methods should not have too many generic parameters
Code Smell
Child class fields should not shadow parent class fields
Code Smell
Mutable fields should not be "public static"
Code Smell
Write-only properties should not be used
Code Smell
Exceptions should not be thrown from property getters
Code Smell
Public methods should not have multidimensional array parameters
Code Smell
Properties should not make collection or array copies
Code Smell
Optional parameters should not be used
Code Smell
Fields should be private
Code Smell
Flags enumerations zero-value members should be named "None"
Code Smell
Flags enumerations should explicitly initialize all their members
Bug
Enumeration type names should not have "Flags" or "Enum" suffixes
Code Smell
Enumeration types should comply with a naming convention
Code Smell
Public constant members should not be used
Code Smell
Redundant modifiers should not be used
Code Smell
Array covariance should not be used
Code Smell
"GetHashCode" should not reference mutable fields
Bug
"try" statements with identical "catch" and/or "finally" blocks should be merged
Code Smell
Unused type parameters should be removed
Code Smell
Methods and properties that don't access instance data should be static
Code Smell
"async" and "await" should not be used as identifiers
Code Smell
"nameof" should be used
Code Smell
Trivial properties should be auto-implemented
Code Smell
Overflow checking should not be disabled for "Enumerable.Sum"
Code Smell
Field-like events should not be virtual
Code Smell
Composite format strings should not lead to unexpected behavior at runtime
Bug
Null pointers should not be dereferenced
Bug
Using non-standard cryptographic algorithms is security-sensitive
Security Hotspot
For-loop conditions should be true at least once
Bug
A "for" loop update clause should move the counter in the right direction
Bug
Using pseudorandom number generators (PRNGs) is security-sensitive
Security Hotspot
Arguments should be passed in the same order as the method parameters
Code Smell
"ToString()" method should not return null
Bug
Non-constant static fields should not be visible
Code Smell
Locks should be released on all paths
Bug
"Exception" should not be caught
Code Smell
Runtime type checking should be simplified
Code Smell
Methods without side effects should not have their return values ignored
Bug
Unnecessary mathematical comparisons should not be made
Code Smell
Modulus results should not be checked for direct equality
Code Smell
Loops and recursions should not be infinite
Bug
Test classes should contain at least one test case
Code Smell
Results of integer division should not be assigned to floating point variables
Bug
Integral numbers should not be shifted by zero or more than their number of bits-1
Bug
Short-circuit logic should be used in boolean contexts
Code Smell
Classes named like "Exception" should extend "Exception" or a subclass
Code Smell
"sealed" classes should not have "protected" members
Code Smell
Underscores should be used to make large numbers readable
Code Smell
Exceptions should be either logged or rethrown but not both
Code Smell
Values should not be uselessly incremented
Bug
A secure password should be used when connecting to a database
Vulnerability
Collections should not be passed as arguments to their own methods
Bug
Classes should not be empty
Code Smell
Creating cookies without the "secure" flag is security-sensitive
Security Hotspot
XPath expressions should not be vulnerable to injection attacks
Vulnerability
I/O function calls should not be vulnerable to path injection attacks
Vulnerability
LDAP queries should not be vulnerable to injection attacks
Vulnerability
Formatting SQL queries is security-sensitive
Security Hotspot
OS commands should not be vulnerable to command injection attacks
Vulnerability
Hard-coded credentials are security-sensitive
Security Hotspot
Password hashing functions should use an unpredictable salt
Vulnerability
"for" loop increment clauses should modify the loops' counters
Code Smell
Invalid casts should be avoided
Code Smell
Boolean checks should not be inverted
Code Smell
Inheritance list should not be redundant
Code Smell
Redundant casts should not be used
Code Smell
Two branches in a conditional structure should not have exactly the same implementation
Code Smell
Related "if/else if" statements should not have the same condition
Bug
"ToString()" calls should not be redundant
Code Smell
Unused assignments should be removed
Code Smell
Objects should not be created to be dropped immediately without being used
Bug
"switch" statements should not be nested
Code Smell
Identical expressions should not be used on both sides of operators
Bug
Loops with at most one iteration should be refactored
Bug
Constructors should only call non-overridable methods
Code Smell
"==" should not be used when "Equals" is overridden
Code Smell
NullReferenceException should not be caught
Code Smell
An abstract class should have both abstract and concrete methods
Code Smell
Multiple variables should not be declared on the same line
Code Smell
Variables should not be self-assigned
Bug
Strings should not be concatenated using '+' in a loop
Code Smell
Tests should not be ignored
Code Smell
Methods and properties should not be too complex
Code Smell
Unused local variables should be removed
Code Smell
"switch" statements with many "case" clauses should have only one statement
Code Smell
Track lack of copyright and license headers
Code Smell
Private fields only used as local variables in methods should become local variables
Code Smell
Culture should be specified for "string" operations
Code Smell
Functions should not have too many lines of code
Code Smell
Control flow statements "if", "switch", "for", "foreach", "while", "do" and "try" should not be nested too deeply
Code Smell
Using hardcoded IP addresses is security-sensitive
Security Hotspot
Logger fields should be "private static readonly"
Code Smell
"switch/Select" statements should contain a "default/Case Else" clauses
Code Smell
Track uses of in-source issue suppressions
Code Smell
"switch" statements should have at least 3 "case" clauses
Code Smell
"for" loop stop conditions should be invariant
Code Smell
A "while" loop should be used instead of a "for" loop
Code Smell
"if ... else if" constructs should end with "else" clauses
Code Smell
Sections of code should not be commented out
Code Smell
Floating point numbers should not be tested for equality
Bug
break statements should not be used except for switch cases
Code Smell
Method parameters, caught exceptions and foreach variables' initial values should not be ignored
Bug
Statements should be on separate lines
Code Smell
"GC.Collect" should not be called
Code Smell
"Equals" and the comparison operators should be overridden when implementing "IComparable"
Code Smell
Control structures should use curly braces
Code Smell
"Equals(Object)" and "GetHashCode()" should be overridden in pairs
Bug
Classes should not be coupled to too many other classes
Code Smell
Nested code blocks should not be used
Code Smell
String literals should not be duplicated
Code Smell
Methods should not be empty
Code Smell
Overriding members should do more than simply call the same member in the base class
Code Smell
Unused method parameters should be removed
Code Smell
Empty arrays and collections should be returned instead of null
Code Smell
Exceptions should not be thrown in finally blocks
Code Smell
"Any()" should be used to test for emptiness
Code Smell
"switch case" clauses should not have too many lines of code
Code Smell
Exit methods should not be called
Code Smell
Unused private types or members should be removed
Code Smell
Track uses of "TODO" tags
Code Smell
Track uses of "FIXME" tags
Code Smell
Deprecated code should be removed
Code Smell
Files should end with a newline
Code Smell
Unnecessary "using" should be removed
Code Smell
Boolean literals should not be redundant
Code Smell
"Obsolete" attributes should include explanations
Code Smell
Assignments should not be made from within sub-expressions
Code Smell
General or reserved exceptions should never be thrown
Code Smell
Utility classes should not have public constructors
Code Smell
Local variables should not shadow class fields or properties
Code Smell
Empty statements should be removed
Code Smell
Redundant pairs of parentheses should be removed
Code Smell
A close curly brace should be located at the beginning of a line
Code Smell
Fields should not have public accessibility
Code Smell
Inheritance tree of classes should not be too deep
Code Smell
Magic numbers should not be used
Code Smell
Nested blocks of code should not be left empty
Code Smell
URIs should not be hardcoded
Code Smell
Methods should not have too many parameters
Code Smell
Expressions should not be too complex
Code Smell
Mergeable "if" statements should be combined
Code Smell
Standard outputs should not be used directly to log anything
Code Smell
Tabulation characters should not be used
Code Smell
Finalizers should not throw exceptions
Bug
Files should not have too many lines of code
Code Smell
Lines should not be too long
Code Smell
Types should be named in PascalCase
Code Smell
Method overrides should not change parameter defaults
Code Smell
Methods and properties should be named in PascalCase
Code Smell

Creating Serializable objects without data validation checks is security-sensitive

intentionality - complete

security

Security Hotspot

When an object is created via deserialization, its constructor is often not executed: the object is instead built directly from its serialized data.
This means an attacker can create a malicious object and completely bypass security checks.

Ask Yourself Whether

Constructors of this Serializable class lack relevant security checks.
Security checks performed during deserialization differ from those in the constructor.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Ensure validation is applied to all entry points of an application.
Ensure that validation is identical regardless of how an object gets created.

Sensitive Code Example

In the following examples, Serializable classes either omit validation or apply different validation logic during instantiation than during deserialization.

For classes inheriting ISerializable:

[Serializable]
public class InternalUrl : ISerializable
{
    private string url;

    public InternalUrl(string tmpUrl)
    {
        if(!tmpUrl.StartsWith("http://localhost/"))
        {
            url = "http://localhost/default";
        }
        else
        {
            url = tmpUrl;
        }
    }

    // Special Deserialization constructor
    protected InternalUrl(SerializationInfo info, StreamingContext context)
    {
       url = (string) info.GetValue("url", typeof(string));
       // Sensitive - no validation
     }

    void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context)
    {
        info.AddValue("url", url);
    }
}

For classes inheriting IDeserializationCallback:

[Serializable]
public class InternalUrl : IDeserializationCallback
{
    private string url;

    public InternalUrl(string tmpUrl)
    {
        if(!tmpUrl.StartsWith("http://localhost/"))
        {
            url = "http://localhost/default";
        }
        else
        {
            url = tmpUrl;
        }
    }

    void IDeserializationCallback.OnDeserialization(object sender)
    {
       // Sensitive - no validation
    }
}

For classes inheriting from neither of previous types:

[Serializable]
public class InternalUrl
{
    private string url;

    public InternalUrl(string tmpUrl)
    {
        // Sensitive - no validation
        url = tmpUrl;
    }
}

Compliant Solution

For classes inheriting ISerializable:

[Serializable]
public class InternalUrl : ISerializable
{
    private string url;

    public InternalUrl(string tmpUrl)
    {
        url = tmpUrl;
        validate();
    }

    // Special Deserialization constructor
    protected InternalUrl(SerializationInfo info, StreamingContext context)
    {
       url = (string) info.GetValue("url", typeof(string));
       validate();
     }

    void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context)
    {
        info.AddValue("url", url);
    }

    void validate()
    {
        if(!url.StartsWith("http://localhost/"))
        {
            url = "http://localhost/default";
        }
    }
}

For classes inheriting IDeserializationCallback:

[Serializable]
public class InternalUrl : IDeserializationCallback
{
    private string url;

    public InternalUrl(string tmpUrl)
    {
        url = tmpUrl;
        validate();
    }

    void IDeserializationCallback.OnDeserialization(object sender)
    {
        validate();
    }
}

For classes inheriting from neither of previous types:

[Serializable]
public class InternalUrl
{
    private string url;

    public InternalUrl(string tmpUrl)
    {
        if(!tmpUrl.StartsWith("http://localhost/"))
        {
            url = "http://localhost/default";
        }
        else
        {
            url = tmpUrl;
        }
    }
}

See

CWE - CWE-502 - Deserialization of Untrusted Data
OWASP - Top 10 2021 Category A8 - Software and Data Integrity Failures
OWASP - Top 10 2017 Category A8 - Insecure Deserialization
Microsoft - Security And Serialization

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

In-IDE

SaaS

Self-Hosted