Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Secrets
ABAP
Apex
AzureResourceManager
C
C++
CloudFormation
COBOL
C#
CSS
Docker
Flex
Go
HTML
Java
JavaScript
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

VB.NET static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your VB.NET code

Tags

Classes should implement their "ExportAttribute" interfaces
Bug
"Thread.Resume" and "Thread.Suspend" should not be used
Bug
"SafeHandle.DangerousGetHandle" should not be called
Bug
Type inheritance should not be recursive
Bug
Finalize method should not throw exceptions
Bug
Hard-coded credentials are security-sensitive
Security Hotspot
Unnecessary bit operations should not be performed
Code Smell
Child class fields should not shadow parent class fields
Code Smell
Public methods should not have multidimensional array parameters
Code Smell
Short-circuit logic should be used in boolean contexts
Code Smell
JWT should be signed and verified with strong cipher algorithms
Vulnerability
Cipher algorithms should be robust
Vulnerability
Encryption algorithms should be used with secure mode and padding scheme
Vulnerability
Insecure temporary file creation methods should not be used
Vulnerability
Server certificates should be verified during SSL/TLS connections
Vulnerability
Weak SSL/TLS protocols should not be used
Vulnerability
Cipher Block Chaining IVs should be unpredictable
Vulnerability
Hashes should include an unpredictable salt
Vulnerability
Regular expressions should be syntactically valid
Bug
Non-async "Task/Task<T>" methods should not return null
Bug
Calls to delegate's method "BeginInvoke" should be paired with calls to "EndInvoke"
Bug
"Shared" parts should not be created with "new"
Bug
Property procedures should access the expected fields
Bug
Right operands of shift operators should be integers
Bug
Shared resources should not be used for locking
Bug
Locks should be released on all paths
Bug
Using publicly writable directories is security-sensitive
Security Hotspot
Expanding archive files without controlling resource consumption is security-sensitive
Security Hotspot
Configuring loggers is security-sensitive
Security Hotspot
Using weak hashing algorithms is security-sensitive
Security Hotspot
Using non-standard cryptographic algorithms is security-sensitive
Security Hotspot
Parameter names should match base declaration
Code Smell
"Option Explicit" should be enabled
Code Smell
Threads should not lock on objects with weak identity
Code Smell
Assemblies should have version information
Code Smell
Exception types should be "Public"
Code Smell
Cognitive Complexity of methods should not be too high
Code Smell
"IndexOf" checks should not be for positive numbers
Code Smell
Properties should not make collection or array copies
Code Smell
Flags enumerations zero-value members should be named "None"
Code Smell
"Do" loops should not be used without a "While" or "Until" condition
Code Smell
The "&" operator should be used to concatenate strings
Code Smell
Methods should not be empty
Code Smell
Exceptions should not be thrown in finally blocks
Code Smell
Types allowed to be deserialized should be restricted
Vulnerability
"PartCreationPolicyAttribute" should be used with "ExportAttribute"
Bug
"ConstructorArgument" parameters should exist in constructors
Bug
Windows Forms entry points should be marked with STAThread
Bug
Map values should not be replaced unconditionally
Bug
Collection sizes and array length comparisons should make sense
Bug
Calculations should not overflow
Bug
Serialization event handlers should be implemented correctly
Bug
Deserialization methods should be provided for "OptionalField" members
Bug
All branches in a conditional structure should not have exactly the same implementation
Bug
Types should be defined in named namespaces
Bug
Empty nullable value should not be accessed
Bug
Methods with "Pure" attribute should return a value
Bug
One-way "OperationContract" methods should have "void" return type
Bug
Optional parameters should be passed to "base" calls
Bug
Classes should not have only "private" constructors
Bug
'Not' boolean operator should not be repeated
Bug
Non-existent operators like "=+" should not be used
Bug
Conditionally executed code should be reachable
Bug
Null pointers should not be dereferenced
Bug
"ToString()" method should not return Nothing
Bug
Related "If/ElseIf" statements should not have the same condition
Bug
Identical expressions should not be used on both sides of a binary operator
Bug
Loops with at most one iteration should be refactored
Bug
Variables should not be self-assigned
Bug
Not specifying a timeout for regular expressions is security-sensitive
Security Hotspot
Disabling ASP.NET "Request Validation" feature is security-sensitive
Security Hotspot
Allowing requests with excessive content length is security-sensitive
Security Hotspot
Setting loose POSIX file permissions is security-sensitive
Security Hotspot
Formatting SQL queries is security-sensitive
Security Hotspot
"GoTo" statements should not be used
Code Smell
Use a format provider when parsing date and time
Code Smell
Use "TimeZoneInfo.FindSystemTimeZoneById" without converting the timezones with "TimezoneConverter"
Code Smell
Always set the "DateTimeKind" when creating new "DateTime" instances
Code Smell
Avoid using "DateTime.Now" for benchmarking or timing operations
Code Smell
"Option Strict" should be enabled
Code Smell
"Return" statements should be used instead of assigning values to function names
Code Smell
"new Guid()" should not be used
Code Smell
"DebuggerDisplayAttribute" strings should reference existing members
Code Smell
Methods should not have identical implementations
Code Smell
Objects should not be disposed more than once
Code Smell
"Exit" statements should not be used
Code Smell
If operators should not be nested
Code Smell
"StringBuilder" data should be used
Code Smell
Reflection should not be used to increase accessibility of classes, methods, or fields
Code Smell
"Thread.Sleep" should not be used in tests
Code Smell
Boolean expressions should not be gratuitous
Code Smell
Write-only properties should not be used
Code Smell
Exceptions should not be thrown from property getters
Code Smell
"On Error" statements should not be used
Code Smell
"IsNot" should be used instead of "Not ... Is ..."
Code Smell
Indexed properties with more than one parameter should not be used
Code Smell
Arguments should be passed in the same order as the procedure parameters
Code Smell
Classes named like "Exception" should extend "Exception" or a subclass
Code Smell
Invalid casts should be avoided
Code Smell
Two branches in a conditional structure should not have exactly the same implementation
Code Smell
Method parameters should follow a naming convention
Code Smell
Functions and procedures should comply with a naming convention
Code Smell
"Select Case" statements should not have too many "Case" clauses
Code Smell
Unused procedure parameters should be removed
Code Smell
Track uses of "FIXME" tags
Code Smell
"Obsolete" attributes should include explanations
Code Smell
General exceptions should never be thrown
Code Smell
Redundant pairs of parentheses should be removed
Code Smell
Nested blocks of code should not be left empty
Code Smell
Procedures should not have too many parameters
Code Smell
Collapsible "if" statements should be merged
Code Smell
Empty collections should not be accessed or iterated
Bug
Date and time should not be used as a type for primary keys
Bug
Flags enumerations should explicitly initialize all their members
Bug
Delivering code in production with debug features activated is security-sensitive
Security Hotspot
Searching OS commands in PATH is security-sensitive
Security Hotspot
Using hardcoded IP addresses is security-sensitive
Security Hotspot
"Contains" should be used instead of "Any" for simple equality checks
Code Smell
"First" and "Last" properties of "LinkedList" should be used instead of the "First()" and "Last()" extension methods
Code Smell
The lambda parameter should be used instead of capturing arguments in "ConcurrentDictionary" methods
Code Smell
"StartsWith" and "EndsWith" overloads that take a "char" should be used instead of the ones that take a "string"
Code Smell
"Min/Max" properties of "Set" types should be used instead of the "Enumerable" extension methods
Code Smell
Prefer indexing instead of "Enumerable" methods on types implementing "IList"
Code Smell
The collection should be filtered before sorting by using "Where" before "OrderBy"
Code Smell
Collection-specific "Exists" method should be used instead of the "Any" extension
Code Smell
The collection-specific "TrueForAll" method should be used instead of the "All" extension
Code Smell
"Find" method should be used instead of the "FirstOrDefault" extension
Code Smell
Use the "UnixEpoch" field instead of creating "DateTime" instances that point to the beginning of the Unix epoch
Code Smell
Comments should not be empty
Code Smell
Null checks should not be used with "TypeOf Is"
Code Smell
Method overloads should be grouped together
Code Smell
Arrays should not be created for ParamArray parameters
Code Smell
VB.Net: "Exit Select" statements should not be used redundantly
Code Smell
"catch" clauses should do more than rethrow
Code Smell
"With" statements should be used for a series of calls to the same object
Code Smell
Array literals should be used instead of array creation expressions
Code Smell
Event names should not have "Before" or "After" as a prefix or suffix
Code Smell
Event handlers should comply with a naming convention
Code Smell
Enumeration type names should not have "Flags" or "Enum" suffixes
Code Smell
Enumeration types should comply with a naming convention
Code Smell
Namespace names should comply with a naming convention
Code Smell
Classes should not be empty
Code Smell
Boolean checks should not be inverted
Code Smell
Strings should not be concatenated using "+" or "&" in a loop
Code Smell
Unused local variables should be removed
Code Smell
Array designators "()" should be on the type, not the variable
Code Smell
Local variable names should comply with a naming convention
Code Smell
"Any()" should be used to test for emptiness
Code Smell
Interface names should comply with a naming convention
Code Smell
Boolean literals should not be redundant
Code Smell
URIs should not be hardcoded
Code Smell
Class names should comply with a naming convention
Code Smell
Track uses of "TODO" tags
Code Smell
Deprecated code should be removed
Code Smell
"CoSetProxyBlanket" and "CoInitializeSecurity" should not be used
Vulnerability
Track lack of copyright and license headers
Code Smell
"End" statements should not be used
Code Smell
Child class fields should not differ from parent class fields only by capitalization
Code Smell
"IIf" should not be used
Code Smell
Signed types should be preferred to unsigned ones
Code Smell
Optional parameters should not be used
Code Smell
Public constant members should not be used
Code Smell
"NameOf" should be used
Code Smell
"Select Case" statements should not be nested
Code Smell
Functions, procedures and properties should not be too complex
Code Smell
Control flow statements "If", "For", "For Each", "Do", "While", "Select" and "Try" should not be nested too deeply
Code Smell
"Select" statements should end with a "Case Else" clause
Code Smell
"If ... ElseIf" constructs should end with "Else" clauses
Code Smell
Expressions should not be too complex
Code Smell
Use "DateTimeOffset" instead of "DateTime"
Code Smell
Use UTC when recording DateTime instants
Code Smell
Use a testable date/time provider
Code Smell
Assemblies should explicitly specify COM visibility
Code Smell
Assemblies should be marked as CLS compliant
Code Smell
Arguments of public methods should be validated against Nothing
Code Smell
Value types should implement "IEquatable<T>"
Code Smell
"[ExpectedException]" should not be used
Code Smell
Fields should be private
Code Smell
Procedures should not have too many lines of code
Code Smell
Statements should be on separate lines
Code Smell
"Select...Case" clauses should not have too many lines of code
Code Smell
Files should not have too many lines of code
Code Smell
Lines should not be too long
Code Smell
Method parameters and caught exceptions should not be reassigned
Bug
Don't hardcode the format when turning dates and times to strings
Code Smell
"ExcludeFromCodeCoverage" attributes should include a justification
Code Smell
Extension methods should not extend "Object"
Code Smell
Non-abstract attributes should be sealed
Code Smell
"ByVal" should not be used
Code Smell
Arrays should be initialized using the "... = {}" syntax
Code Smell
Generic type parameter names should comply with a naming convention
Code Smell
Non-private "Shared ReadOnly" fields should comply with a naming convention
Code Smell
Non-private fields should comply with a naming convention
Code Smell
Non-private constants should comply with a naming convention
Code Smell
Properties should comply with a naming convention
Code Smell
"Private" fields should comply with a naming convention
Code Smell
"Private Shared ReadOnly" fields should comply with a naming convention
Code Smell
Private constants should comply with a naming convention
Code Smell
Line continuations should not be used
Code Smell
Indexed properties should be named "Item"
Code Smell
Events should comply with a naming convention
Code Smell
Enumeration values should comply with a naming convention
Code Smell
Multiple variables should not be declared on the same line
Code Smell
Comments should not be located at the end of lines of code
Code Smell
"Select" statements should have at least 3 "Case" clauses
Code Smell
String literals should not be duplicated
Code Smell
Generic type parameter names should comply with a naming convention
Code Smell
Tabulation characters should not be used
Code Smell

Types allowed to be deserialized should be restricted

Vulnerability

MajorSonarSource default severity
click to learn more

Why is this an issue?

During the deserialization process, the state of an object will be reconstructed from the serialized data stream which can contain dangerous operations.

For example, a well-known attack vector consists in serializing an object of type TempFileCollection with arbitrary files (defined by an attacker) which will be deleted on the application deserializing this object (when the finalize() method of the TempFileCollection object is called). This kind of types are called "gadgets".

Instead of using BinaryFormatter and similar serializers, it is recommended to use safer alternatives in most of the cases, such as XmlSerializer or DataContractSerializer. If it’s not possible then try to mitigate the risk by restricting the types allowed to be deserialized:

by implementing an "allow-list" of types, but keep in mind that novel dangerous types are regularly discovered and this protection could be insufficient over time.
or/and implementing a tamper protection, such as message authentication codes (MAC). This way only objects serialized with the correct MAC hash will be deserialized.

Noncompliant code example

For BinaryFormatter, NetDataContractSerializer, SoapFormatter serializers:

Dim myBinaryFormatter = New BinaryFormatter()
myBinaryFormatter.Deserialize(stream) ' Noncompliant: a binder is not used to limit types during deserialization

JavaScriptSerializer should not use SimpleTypeResolver or other weak resolvers:

Dim serializer1 As JavaScriptSerializer = New JavaScriptSerializer(New SimpleTypeResolver()) ' Noncompliant: SimpleTypeResolver is unsecure (every types is resolved)
serializer1.Deserialize(Of ExpectedType)(json)

LosFormatter should not be used without MAC verification:

Dim formatter As LosFormatter = New LosFormatter() ' Noncompliant
formatter.Deserialize(fs)

Compliant solution

BinaryFormatter, NetDataContractSerializer , SoapFormatter serializers should use a binder implementing a whitelist approach to limit types during deserialization (at least one exception should be thrown or a null value returned):

NotInheritable Class CustomBinder
    Inherits SerializationBinder
    Public Overrides Function BindToType(assemblyName As String, typeName As String) As Type
        If Not (Equals(typeName, "type1") OrElse Equals(typeName, "type2") OrElse Equals(typeName, "type3")) Then
            Throw New SerializationException("Only type1, type2 and type3 are allowed") ' Compliant
        End If
        Return Assembly.Load(assemblyName).[GetType](typeName)
    End Function
End Class

Dim myBinaryFormatter = New BinaryFormatter()
myBinaryFormatter.Binder = New CustomBinder()
myBinaryFormatter.Deserialize(stream)

JavaScriptSerializer should use a resolver implementing a whitelist to limit types during deserialization (at least one exception should be thrown or a null value returned):

Public Class CustomSafeTypeResolver
    Inherits JavaScriptTypeResolver
    Public Overrides Function ResolveType(id As String) As Type
        If Not Equals(id, "ExpectedType") Then
            Throw New ArgumentNullException("Only ExpectedType is allowed during deserialization") ' Compliant
        End If
        Return Type.[GetType](id)
    End Function
End Class

Dim serializer As JavaScriptSerializer = New JavaScriptSerializer(New CustomSafeTypeResolver()) ' Compliant
serializer.Deserialize(Of ExpectedType)(json)

LosFormatter serializer with MAC verification:

Dim formatter As LosFormatter = New LosFormatter(True, secret) ' Compliant
formatter.Deserialize(fs)

Resources

OWASP Top 10 2021 Category A8 - Software and Data Integrity Failures
docs.microsoft.com - BinaryFormatter security guide
OWASP Top 10 2017 Category A8 - Insecure Deserialization
MITRE, CWE-134 - Use of Externally-Controlled Format String
MITRE, CWE-502 - Deserialization of Untrusted Data
SANS Top 25 - Risky Resource Management
OWASP Deserialization Cheat Sheet

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

© 2008-2023 SonarSource S.A., Switzerland. All content is copyright protected. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, and SONARCLOUD are trademarks of SonarSource S.A. All other trademarks and copyrights are the property of their respective owners. All rights are expressly reserved.
Privacy Policy | Cookie Policy

In-IDE

SaaS

Self-Hosted