Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Secrets
ABAP
Apex
C
C++
CloudFormation
COBOL
C#
CSS
Docker
Flex
Go
HTML
Java
JavaScript
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

C# static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your C# code

Tags

Extracting archives should not lead to zip slip vulnerabilities
Vulnerability
Dynamic code execution should not be vulnerable to injection attacks
Vulnerability
HTTP request redirections should not be open to forging attacks
Vulnerability
Deserialization should not be vulnerable to injection attacks
Vulnerability
Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks
Vulnerability
"CoSetProxyBlanket" and "CoInitializeSecurity" should not be used
Vulnerability
Database queries should not be vulnerable to injection attacks
Vulnerability
XML parsers should not be vulnerable to XXE attacks
Vulnerability
A secure password should be used when connecting to a database
Vulnerability
XPath expressions should not be vulnerable to injection attacks
Vulnerability
I/O function calls should not be vulnerable to path injection attacks
Vulnerability
LDAP queries should not be vulnerable to injection attacks
Vulnerability
OS commands should not be vulnerable to command injection attacks
Vulnerability
Classes should implement their "ExportAttribute" interfaces
Bug
Neither "Thread.Resume" nor "Thread.Suspend" should be used
Bug
"SafeHandle.DangerousGetHandle" should not be called
Bug
Type inheritance should not be recursive
Bug
"IDisposables" should be disposed
Bug
SQL keywords should be delimited by whitespace
Bug
Composite format strings should not lead to unexpected behavior at runtime
Bug
Recursion should not be infinite
Bug
Destructors should not throw exceptions
Bug
Hard-coded credentials are security-sensitive
Security Hotspot
Interfaces for durable entities should satisfy the restrictions
Code Smell
Calls to "async" methods should not be blocking in Azure Functions
Code Smell
Exceptions should not be thrown from unexpected methods
Code Smell
"operator==" should not be overloaded on reference types
Code Smell
Type should not be examined on "System.Type" instances
Code Smell
Test method signatures should be correct
Code Smell
Method overloads with default parameter values should not overlap
Code Smell
"value" contextual keyword should be used
Code Smell
"is" should not be used with "this"
Code Smell
Assertions should be complete
Code Smell
Methods named "Dispose" should implement "IDisposable.Dispose"
Code Smell
Tests should include assertions
Code Smell
Silly bit operations should not be performed
Code Smell
Public methods should not have multidimensional array parameters
Code Smell
"async" and "await" should not be used as identifiers
Code Smell
TestCases should contain tests
Code Smell
Short-circuit logic should be used in boolean contexts
Code Smell
JWT should be signed and verified with strong cipher algorithms
Vulnerability
Cipher algorithms should be robust
Vulnerability
Encryption algorithms should be used with secure mode and padding scheme
Vulnerability
Insecure temporary file creation methods should not be used
Vulnerability
Server certificates should be verified during SSL/TLS connections
Vulnerability
LDAP connections should be authenticated
Vulnerability
Cryptographic keys should be robust
Vulnerability
Weak SSL/TLS protocols should not be used
Vulnerability
Cipher Block Chaining IVs should be unpredictable
Vulnerability
Regular expressions should not be vulnerable to Denial of Service attacks
Vulnerability
Hashes should include an unpredictable salt
Vulnerability
Regular expressions should be syntactically valid
Bug
Non-async "Task/Task<T>" methods should not return null
Bug
Calls to delegate's method "BeginInvoke" should be paired with calls to "EndInvoke"
Bug
"Shared" parts should not be created with "new"
Bug
Getters and setters should access the expected fields
Bug
Right operands of shift operators should be integers
Bug
Shared resources should not be used for locking
Bug
Locks should be released on all paths
Bug
Using publicly writable directories is security-sensitive
Security Hotspot
Using clear-text protocols is security-sensitive
Security Hotspot
Expanding archive files without controlling resource consumption is security-sensitive
Security Hotspot
Configuring loggers is security-sensitive
Security Hotspot
Using weak hashing algorithms is security-sensitive
Security Hotspot
Disabling CSRF protections is security-sensitive
Security Hotspot
Using non-standard cryptographic algorithms is security-sensitive
Security Hotspot
Using pseudorandom number generators (PRNGs) is security-sensitive
Security Hotspot
Parameter names should match base declaration and other partial definitions
Code Smell
"ValueTask" should be consumed correctly
Code Smell
String offset-based methods should be preferred for finding substrings from offsets
Code Smell
"default" clauses should be first or last
Code Smell
Unread "private" fields should be removed
Code Smell
Base class methods should not be hidden
Code Smell
Inherited member visibility should not be decreased
Code Smell
Threads should not lock on objects with weak identity
Code Smell
A conditionally executed single line should be denoted by indentation
Code Smell
Conditionals should start on new lines
Code Smell
Assemblies should have version information
Code Smell
Exception types should be "public"
Code Smell
Cognitive Complexity of methods should not be too high
Code Smell
"params" should not be introduced on overrides
Code Smell
"[DefaultValue]" should not be used when "[DefaultParameterValue]" is meant
Code Smell
"[Optional]" should not be used on "ref" or "out" parameters
Code Smell
Non-flags enums should not be used in bitwise operations
Code Smell
Inner class members should not shadow outer class "static" or type members
Code Smell
"Explicit" conversions of "foreach" loops should not be used
Code Smell
Instance members should not write to "static" fields
Code Smell
"IndexOf" checks should not be for positive numbers
Code Smell
Whitespace and control characters in string literals should be explicit
Code Smell
Properties should not make collection or array copies
Code Smell
Flags enumerations zero-value members should be named "None"
Code Smell
Overflow checking should not be disabled for "Enumerable.Sum"
Code Smell
Field-like events should not be virtual
Code Smell
Non-constant static fields should not be visible
Code Smell
Silly mathematical comparisons should not be made
Code Smell
Inappropriate casts should not be made
Code Smell
Constructors should only call non-overridable methods
Code Smell
"GC.Collect" should not be called
Code Smell
Methods should not be empty
Code Smell
Exceptions should not be thrown in finally blocks
Code Smell
Method overrides should not change parameter defaults
Code Smell
Applications should not create session cookies from untrusted input
Vulnerability
Types allowed to be deserialized should be restricted
Vulnerability
Server-side requests should not be vulnerable to forging attacks
Vulnerability
Members should not have conflicting transparency annotations
Vulnerability
"PartCreationPolicyAttribute" should be used with "ExportAttribute"
Bug
"ConstructorArgument" parameters should exist in constructors
Bug
Windows Forms entry points should be marked with STAThread
Bug
Collection elements should not be replaced unconditionally
Bug
Exceptions should not be created without being thrown
Bug
Collection sizes and array length comparisons should make sense
Bug
Calculations should not overflow
Bug
Serialization event handlers should be implemented correctly
Bug
Deserialization methods should be provided for "OptionalField" members
Bug
All branches in a conditional structure should not have exactly the same implementation
Bug
Types should be defined in named namespaces
Bug
Empty nullable value should not be accessed
Bug
Nullable type comparison should not be redundant
Bug
Methods with "Pure" attribute should return a value
Bug
One-way "OperationContract" methods should have "void" return type
Bug
Optional parameters should be passed to "base" calls
Bug
Classes should not have only "private" constructors
Bug
Expressions used in "Debug.Assert" should not produce side effects
Bug
Caller information parameters should come at the end of the parameter list
Bug
Static fields should appear in the order they must be initialized
Bug
Classes directly extending "object" should not call "base" in "GetHashCode" or "Equals"
Bug
Anonymous delegates should not be used to unsubscribe from Events
Bug
Delegates should not be subtracted
Bug
"async" methods should not return "void"
Bug
"ThreadStatic" should not be used on non-static fields
Bug
"IDisposables" created in a "using" statement should not be returned
Bug
"ThreadStatic" fields should not be initialized
Bug
"Object.ReferenceEquals" should not be used for value types
Bug
Doubled prefix operators "!!" and "~~" should not be used
Bug
"=+" should not be used instead of "+="
Bug
"NaN" should not be used in comparisons
Bug
Conditionally executed code should be reachable
Bug
Blocks should be synchronized on read-only fields
Bug
Null pointers should not be dereferenced
Bug
For-loop conditions should be true at least once
Bug
A "for" loop update clause should move the counter in the right direction
Bug
"ToString()" method should not return null
Bug
Return values from functions without side effects should not be ignored
Bug
Values should not be uselessly incremented
Bug
Collections should not be passed as arguments to their own methods
Bug
Related "if/else if" statements should not have the same condition
Bug
Objects should not be created to be dropped immediately without being used
Bug
Identical expressions should not be used on both sides of a binary operator
Bug
Loops with at most one iteration should be refactored
Bug
Variables should not be self-assigned
Bug
Not specifying a timeout for regular expressions is security-sensitive
Security Hotspot
Constructing arguments of system commands from user input is security-sensitive
Security Hotspot
Deserializing objects without performing data validation is security-sensitive
Security Hotspot
Disabling ASP.NET "Request Validation" feature is security-sensitive
Security Hotspot
Allowing requests with excessive content length is security-sensitive
Security Hotspot
Setting loose file permissions is security-sensitive
Security Hotspot
Formatting SQL queries is security-sensitive
Security Hotspot
Using hardcoded IP addresses is security-sensitive
Security Hotspot
"goto" statement should not be used
Code Smell
Client instances should not be recreated on each Azure Function invocation
Code Smell
Azure Functions should be stateless
Code Smell
"new Guid()" should not be used
Code Smell
"DebuggerDisplayAttribute" strings should reference existing members
Code Smell
Parameter validation in yielding methods should be wrapped
Code Smell
Events should have proper arguments
Code Smell
Native methods should be wrapped
Code Smell
Methods should not have identical implementations
Code Smell
Non-flags enums should not be marked with "FlagsAttribute"
Code Smell
Classes implementing "IEquatable<T>" should be sealed
Code Smell
"GC.SuppressFinalize" should not be called
Code Smell
Objects should not be disposed more than once
Code Smell
Parameter names used into ArgumentException constructors should match an existing one
Code Smell
"ISerializable" should be implemented correctly
Code Smell
"Assembly.Load" should be used
Code Smell
"IDisposable" should be implemented correctly
Code Smell
"ServiceContract" and "OperationContract" attributes should be used together
Code Smell
Composite format strings should be used correctly
Code Smell
Exceptions should not be explicitly rethrown
Code Smell
"abstract" classes should not have "public" constructors
Code Smell
Assertion arguments should be passed in the correct order
Code Smell
Ternary operators should not be nested
Code Smell
Events should be invoked
Code Smell
"params" should be used on overrides
Code Smell
Generic type parameters should be co/contravariant when possible
Code Smell
Multiple "OrderBy" calls should not be used
Code Smell
"StringBuilder" data should be used
Code Smell
Reflection should not be used to increase accessibility of classes, methods, or fields
Code Smell
Static fields should not be updated in constructors
Code Smell
"IEnumerable" LINQs should be simplified
Code Smell
Fields that are only assigned in the constructor should be "readonly"
Code Smell
Static fields should not be used in generic types
Code Smell
Multiline blocks should be enclosed in curly braces
Code Smell
Boolean expressions should not be gratuitous
Code Smell
Types and methods should not have too many generic parameters
Code Smell
Write-only properties should not be used
Code Smell
Exceptions should not be thrown from property getters
Code Smell
Unused type parameters should be removed
Code Smell
Parameters should be passed in the correct order
Code Smell
Classes named like "Exception" should extend "Exception" or a subclass
Code Smell
Two branches in a conditional structure should not have exactly the same implementation
Code Smell
Unused assignments should be removed
Code Smell
Tests should not be ignored
Code Smell
"switch" statements should not have too many "case" clauses
Code Smell
Sections of code should not be commented out
Code Smell
Unused method parameters should be removed
Code Smell
Empty arrays and collections should be returned instead of null
Code Smell
Unused private types or members should be removed
Code Smell
Track uses of "FIXME" tags
Code Smell
"Obsolete" attributes should include explanations
Code Smell
Assignments should not be made from within sub-expressions
Code Smell
General exceptions should never be thrown
Code Smell
Utility classes should not have public constructors
Code Smell
Local variables should not shadow class fields
Code Smell
Redundant pairs of parentheses should be removed
Code Smell
Inheritance tree of classes should not be too deep
Code Smell
Nested blocks of code should not be left empty
Code Smell
Methods should not have too many parameters
Code Smell
Collapsible "if" statements should be merged
Code Smell
OS commands should not be vulnerable to argument injection attacks
Vulnerability
Logging should not be vulnerable to injection attacks
Vulnerability
Empty collections should not be accessed or iterated
Bug
Mutable, non-private fields should not be "readonly"
Bug
"string.ToCharArray()" and "ReadOnlySpan<T>.ToArray()" should not be called redundantly
Bug
"base.Equals" should not be used to check for reference equality in "Equals" if "base" is not "object"
Bug
Property assignments should not be made for "readonly" fields not constrained to reference types
Bug
Flags enumerations should explicitly initialize all their members
Bug
"GetHashCode" should not reference mutable fields
Bug
Results of integer division should not be assigned to floating point variables
Bug
Integral numbers should not be shifted by zero or more than their number of bits-1
Bug
"Equals(Object)" and "GetHashCode()" should be overridden in pairs
Bug
Having a permissive Cross-Origin Resource Sharing policy is security-sensitive
Security Hotspot
Delivering code in production with debug features activated is security-sensitive
Security Hotspot
Searching OS commands in PATH is security-sensitive
Security Hotspot
Creating cookies without the "HttpOnly" flag is security-sensitive
Security Hotspot
Creating cookies without the "secure" flag is security-sensitive
Security Hotspot
Literal suffixes should be upper case
Code Smell
"string.Create" should be used instead of "FormattableString"
Code Smell
"Contains" should be used instead of "Any" for simple equality checks
Code Smell
"First" and "Last" properties of "LinkedList" should be used instead of the "First()" and "Last()" extension methods
Code Smell
The lambda parameter should be used instead of capturing arguments in "ConcurrentDictionary" methods
Code Smell
"StartsWith" and "EndsWith" overloads that take a "char" should be used instead of the ones that take a "string"
Code Smell
"Min/Max" properties of "Set" types should be used instead of the "Enumerable" extension methods
Code Smell
Prefer indexing instead of "Enumerable" methods on types implementing "IList"
Code Smell
The collection should be filtered before sorting by using "Where" before "OrderBy"
Code Smell
Collection-specific "Exists" method should be used instead of the "Any" extension
Code Smell
The collection-specific "TrueForAll" method should be used instead of the "All" extension
Code Smell
"Find" method should be used instead of the "FirstOrDefault" extension
Code Smell
Comments should not be empty
Code Smell
Null checks should not be used with "is"
Code Smell
Method overloads should be grouped together
Code Smell
"params" should be used instead of "varargs"
Code Smell
"static" fields should be initialized inline
Code Smell
Classes that provide "Equals(<T>)" should implement "IEquatable<T>"
Code Smell
Arrays should not be created for params parameters
Code Smell
Jump statements should not be redundant
Code Smell
Member initializer values should not be redundant
Code Smell
Unassigned members should be removed
Code Smell
Empty "case" clauses that fall through to the "default" should be omitted
Code Smell
Parameters with "[DefaultParameterValue]" attributes should also be marked "[Optional]"
Code Smell
Interfaces should not simply inherit from base interfaces with colliding members
Code Smell
Variables should not be checked against the values they're about to be assigned
Code Smell
Methods should not return constants
Code Smell
"private" methods called only by inner classes should be moved to those classes
Code Smell
Attribute, EventArgs, and Exception type names should end with the type being extended
Code Smell
Loops should be simplified with "LINQ" expressions
Code Smell
Namespaces should not be empty
Code Smell
Non-derived "private" classes and records should be "sealed"
Code Smell
"string.IsNullOrEmpty" should be used
Code Smell
Implementations should be provided for "partial" methods
Code Smell
Duplicate casts should not be made
Code Smell
Methods should not return values that are never used
Code Smell
Caller information arguments should not be provided explicitly
Code Smell
Method calls should not resolve ambiguously to overloads with "params"
Code Smell
"catch" clauses should do more than rethrow
Code Smell
Generic exceptions should not be ignored
Code Smell
Mutable fields should not be "public static"
Code Smell
Enumeration type names should not have "Flags" or "Enum" suffixes
Code Smell
Enumeration types should comply with a naming convention
Code Smell
Trivial properties should be auto-implemented
Code Smell
Runtime type checking should be simplified
Code Smell
Classes should not be empty
Code Smell
Boolean checks should not be inverted
Code Smell
Inheritance list should not be redundant
Code Smell
Redundant casts should not be used
Code Smell
Strings should not be concatenated using '+' in a loop
Code Smell
Unused local variables should be removed
Code Smell
Private fields only used as local variables in methods should become local variables
Code Smell
A "while" loop should be used instead of a "for" loop
Code Smell
"Equals" and the comparison operators should be overridden when implementing "IComparable"
Code Smell
Nested code blocks should not be used
Code Smell
Overriding members should do more than simply call the same member in the base class
Code Smell
"Any()" should be used to test for emptiness
Code Smell
Boolean literals should not be redundant
Code Smell
Empty statements should be removed
Code Smell
Fields should not have public accessibility
Code Smell
URIs should not be hardcoded
Code Smell
Types should be named in PascalCase
Code Smell
Track uses of "TODO" tags
Code Smell
Deprecated code should be removed
Code Smell
Classes with "IDisposable" members should implement "IDisposable"
Bug
Calls to "async" methods should not be blocking
Code Smell
Child class fields should not shadow parent class fields
Code Smell
Track lack of copyright and license headers
Code Smell
Exit methods should not be called
Code Smell
Classes should "Dispose" of members from the classes' own "Dispose" methods
Bug
Reading the Standard Input is security-sensitive
Security Hotspot
Using command line arguments is security-sensitive
Security Hotspot
Using Sockets is security-sensitive
Security Hotspot
Encrypting data is security-sensitive
Security Hotspot
Using regular expressions is security-sensitive
Security Hotspot
Interface methods should be callable by derived types
Code Smell
Child class fields should not differ from parent class fields only by capitalization
Code Smell
Pointers to unmanaged memory should not be visible
Code Smell
Number patterns should be regular
Code Smell
"out" and "ref" parameters should not be used
Code Smell
Unchanged local variables should be "const"
Code Smell
"ConfigureAwait(false)" should be used
Code Smell
"interface" instances should not be cast to concrete types
Code Smell
Literal boolean values should not be used in assertions
Code Smell
Optional parameters should not be used
Code Smell
Public constant members should not be used
Code Smell
Array covariance should not be used
Code Smell
"nameof" should be used
Code Smell
Modulus results should not be checked for direct equality
Code Smell
"for" loop increment clauses should modify the loops' counters
Code Smell
"switch" statements should not be nested
Code Smell
Methods and properties should not be too complex
Code Smell
Control flow statements "if", "switch", "for", "foreach", "while", "do" and "try" should not be nested too deeply
Code Smell
"switch/Select" statements should contain a "default/Case Else" clauses
Code Smell
"if ... else if" constructs should end with "else" clauses
Code Smell
Control structures should use curly braces
Code Smell
Expressions should not be too complex
Code Smell
ASP.NET HTTP request validation feature should not be disabled
Vulnerability
Serialization constructors should be secured
Vulnerability
Blocks should not be synchronized on local variables
Bug
Floating point numbers should not be tested for equality
Bug
Increment (++) and decrement (--) operators should not be used in a method call or mixed with other operators in an expression
Code Smell
Azure Functions should log all failures
Code Smell
Azure Functions should use Structured Error Handling
Code Smell
Use a testable date/time provider
Code Smell
Parameter validation in "async"/"await" methods should be wrapped
Code Smell
"P/Invoke" methods should not be visible
Code Smell
Property names should not match get methods
Code Smell
Locales should be set for data types
Code Smell
Literals should not be passed as localized parameters
Code Smell
Operators should be overloaded consistently
Code Smell
Method signatures should not contain nested generic types
Code Smell
Enumeration members should not be named "Reserved"
Code Smell
"System.Uri" arguments should be used instead of strings
Code Smell
Collection properties should be readonly
Code Smell
Disposable types should declare finalizers
Code Smell
String URI overloads should call "System.Uri" overloads
Code Smell
URI properties should not be strings
Code Smell
URI return values should not be strings
Code Smell
URI Parameters should not be strings
Code Smell
Custom attributes should be marked with "System.AttributeUsageAttribute"
Code Smell
Assemblies should explicitly specify COM visibility
Code Smell
Assemblies should be marked as CLS compliant
Code Smell
"Generic.List" instances should not be part of public APIs
Code Smell
Collections should implement the generic interface
Code Smell
Generic event handlers should be used
Code Smell
Event Handlers should have the correct signature
Code Smell
"Assembly.GetExecutingAssembly" should not be called
Code Smell
Arguments of public methods should be validated against null
Code Smell
Value types should implement "IEquatable<T>"
Code Smell
Finalizers should not be empty
Code Smell
"[ExpectedException]" should not be used
Code Smell
"this" should not be exposed from constructors
Code Smell
Types should not have members with visibility set higher than the type's visibility
Code Smell
Fields should be private
Code Smell
"try" statements with identical "catch" and/or "finally" blocks should be merged
Code Smell
NullReferenceException should not be caught
Code Smell
Functions should not have too many lines of code
Code Smell
"for" loop stop conditions should be invariant
Code Smell
Statements should be on separate lines
Code Smell
Classes should not be coupled to too many other classes (Single Responsibility Principle)
Code Smell
"switch case" clauses should not have too many lines of code
Code Smell
Magic numbers should not be used
Code Smell
Standard outputs should not be used directly to log anything
Code Smell
Files should not have too many lines of code
Code Smell
Lines should not be too long
Code Smell
HTTP response headers should not be vulnerable to injection attacks
Vulnerability
Console logging should not be used
Vulnerability
Generic parameters not constrained to reference types should not be compared to "null"
Bug
The length returned from a stream read should be checked
Bug
Method parameters, caught exceptions and foreach variables' initial values should not be ignored
Bug
Controlling permissions is security-sensitive
Security Hotspot
Writing cookies is security-sensitive
Security Hotspot
"ExcludeFromCodeCoverage" attributes should include a justification
Code Smell
Methods should be named according to their synchronicities
Code Smell
Extensions should be in separate namespaces
Code Smell
Extension methods should not extend "object"
Code Smell
Operator overloads should have named alternatives
Code Smell
Non-abstract attributes should be sealed
Code Smell
Overloads with a "StringComparison" parameter should be used
Code Smell
Overloads with a "CultureInfo" or an "IFormatProvider" parameter should be used
Code Smell
Types should not extend outdated base types
Code Smell
Properties should be preferred
Code Smell
Generics should be used when appropriate
Code Smell
Type names should not match namespaces
Code Smell
Strings should be normalized to uppercase
Code Smell
Exceptions should provide standard constructors
Code Smell
Assemblies should be marked with "NeutralResourcesLanguageAttribute"
Code Smell
Interfaces should not be empty
Code Smell
Enumerations should have "Int32" storage
Code Smell
All type parameters should be used in the parameter list to enable type inference
Code Smell
Multidimensional arrays should not be used
Code Smell
"static readonly" constants should be "const" instead
Code Smell
Strings or integral types should be used for indexers
Code Smell
Parameter names should not duplicate the names of their methods
Code Smell
Track use of "NotImplementedException"
Code Smell
Empty "default" clauses should be removed
Code Smell
Redundant property names should be omitted in anonymous classes
Code Smell
Declarations and initializations should be as concise as possible
Code Smell
Default parameter values should not be passed as arguments
Code Smell
Constructor and destructor declarations should not be redundant
Code Smell
Method parameters should be declared with base types
Code Smell
The simplest possible condition syntax should be used
Code Smell
Redundant parentheses should not be used
Code Smell
"GC.SuppressFinalize" should not be invoked for types without destructors
Code Smell
Members should not be initialized to default values
Code Smell
Sequential tests should not check the same condition
Code Smell
Redundant modifiers should not be used
Code Smell
Methods and properties that don't access instance data should be static
Code Smell
"Exception" should not be caught
Code Smell
"sealed" classes should not have "protected" members
Code Smell
Underscores should be used to make large numbers readable
Code Smell
"ToString()" calls should not be redundant
Code Smell
"==" should not be used when "Equals" is overridden
Code Smell
An abstract class should have both abstract and concrete methods
Code Smell
Multiple variables should not be declared on the same line
Code Smell
Culture should be specified for "string" operations
Code Smell
"switch" statements should have at least 3 "case" clauses
Code Smell
break statements should not be used except for switch cases
Code Smell
String literals should not be duplicated
Code Smell
Files should contain an empty newline at the end
Code Smell
Unused "using" should be removed
Code Smell
A close curly brace should be located at the beginning of a line
Code Smell
Tabulation characters should not be used
Code Smell
Methods and properties should be named in PascalCase
Code Smell
Track uses of in-source issue suppressions
Code Smell

Types allowed to be deserialized should be restricted

Vulnerability

MajorSonarSource default severity
click to learn more

Why is this an issue?

During the deserialization process, the state of an object will be reconstructed from the serialized data stream which can contain dangerous operations.

For example, a well-known attack vector consists in serializing an object of type TempFileCollection with arbitrary files (defined by an attacker) which will be deleted on the application deserializing this object (when the finalize() method of the TempFileCollection object is called). This kind of types are called "gadgets".

Instead of using BinaryFormatter and similar serializers, it is recommended to use safer alternatives in most of the cases, such as XmlSerializer or DataContractSerializer. If it’s not possible then try to mitigate the risk by restricting the types allowed to be deserialized:

by implementing an "allow-list" of types, but keep in mind that novel dangerous types are regularly discovered and this protection could be insufficient over time.
or/and implementing a tamper protection, such as message authentication codes (MAC). This way only objects serialized with the correct MAC hash will be deserialized.

Noncompliant code example

For BinaryFormatter, NetDataContractSerializer, SoapFormatter serializers:

var myBinaryFormatter = new BinaryFormatter();
myBinaryFormatter.Deserialize(stream); // Noncompliant: a binder is not used to limit types during deserialization

JavaScriptSerializer should not use SimpleTypeResolver or other weak resolvers:

JavaScriptSerializer serializer1 = new JavaScriptSerializer(new SimpleTypeResolver()); // Noncompliant: SimpleTypeResolver is unsecure (every types is resolved)
serializer1.Deserialize<ExpectedType>(json);

LosFormatter should not be used without MAC verification:

LosFormatter formatter = new LosFormatter(); // Noncompliant
formatter.Deserialize(fs);

Compliant solution

BinaryFormatter, NetDataContractSerializer , SoapFormatter serializers should use a binder implementing a whitelist approach to limit types during deserialization (at least one exception should be thrown or a null value returned):

sealed class CustomBinder : SerializationBinder
{
   public override Type BindToType(string assemblyName, string typeName)
   {
       if (!(typeName == "type1" || typeName == "type2" || typeName == "type3"))
       {
          throw new SerializationException("Only type1, type2 and type3 are allowed"); // Compliant
       }
       return Assembly.Load(assemblyName).GetType(typeName);
   }
}

var myBinaryFormatter = new BinaryFormatter();
myBinaryFormatter.Binder = new CustomBinder();
myBinaryFormatter.Deserialize(stream);

JavaScriptSerializer should use a resolver implementing a whitelist to limit types during deserialization (at least one exception should be thrown or a null value returned):

public class CustomSafeTypeResolver : JavaScriptTypeResolver
{
   public override Type ResolveType(string id)
   {
      if(id != "ExpectedType") {
         throw new ArgumentNullException("Only ExpectedType is allowed during deserialization"); // Compliant
      }
      return Type.GetType(id);
   }
}

JavaScriptSerializer serializer = new JavaScriptSerializer(new CustomSafeTypeResolver()); // Compliant
serializer.Deserialize<ExpectedType>(json);

LosFormatter serializer with MAC verification:

LosFormatter formatter = new LosFormatter(true, secret); // Compliant
formatter.Deserialize(fs);

Resources

OWASP Top 10 2021 Category A8 - Software and Data Integrity Failures
docs.microsoft.com - BinaryFormatter security guide
OWASP Top 10 2017 Category A8 - Insecure Deserialization
MITRE, CWE-134 - Use of Externally-Controlled Format String
MITRE, CWE-502 - Deserialization of Untrusted Data
SANS Top 25 - Risky Resource Management
OWASP Deserialization Cheat Sheet

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

© 2008-2023 SonarSource S.A., Switzerland. All content is copyright protected. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, and SONARCLOUD are trademarks of SonarSource S.A. All other trademarks and copyrights are the property of their respective owners. All rights are expressly reserved.
Privacy Policy

In-IDE

SaaS

Self-Hosted