How do I fix SCS0028?

Question

Security Scan Warnings in Visual Studio are shown during the build. Currently, I am working on these warnings to get removed. I tried several MSDN sites but no luck. I have also read OWSAP but they are not clearly related to C#.

Code:

public static class XMLUtility
    {
        public static T DeserializeXML<T>(this string xmlString)
        {
            T returnValue = default(T);
            if (string.IsNullOrEmpty(xmlString))
                return returnValue;
            XmlSerializer serial = new XmlSerializer(typeof(T));
            StringReader reader = new StringReader(xmlString);
            object result = serial.Deserialize(reader);
            if (result != null && result is T)
            {
                returnValue = ((T)result);
            }
            return returnValue;
        }
    }

Just a sidenote here: I would recommend you to paste de source in your question instead of just inserting a message, so other users can reproduce the issue. — Gonzo345, Jul 05 '18 at 06:16
btw, have you seen that _"Show potential fixes"_ link? I think you can potentially find a fix for this warning from there — vasily.sib, Jul 05 '18 at 06:34
By looking at the documentation, I can't really find how a vulnerability with `XmlSerializer` could be done. I don't think `XmlSerializer` supports the serialization of `object` properties, so what is serialized/deserialized is "known" and unknown/unplanned objects can't be deserialized. You can't inject a `` element in the xml and hope a `FileStream` will be deserialized. — xanatos, Jul 05 '18 at 08:43
For example [here](https://www.ozkary.com/2012/11/the-type-was-not-expected-use.html) it shows that to deserialize a `object[]` you have to inform the `XmlSerializer` of the extra types it must support. — xanatos, Jul 05 '18 at 08:47
For more: https://www.slideshare.net/MSbluehat/dangerous-contents-securing-net-deserialization. Page no 26, — Binod, Jul 05 '18 at 09:31
Though we keep the type instead of object, it will not solve the warning problem. — Binod, Jul 05 '18 at 09:32

score 3 · Accepted Answer · answered Jul 24 '18 at 07:31

First of all the warning is valid, because the type T and xmlString are passed from outside and are potentially untrusted (user input). You can check ysoserial.net for a proof of concept.

Code fixers are not implemented for the warning, that is why "Show potential fixes" link doesn't work. There are too many options to fix the issue, so it has to be done manually. Did you click on the SCS0028 link to read about potential solutions?

If the input is trusted the other standard action if you ever worked with any Visual Studio analyzer is Suppress. Here is an article by Microsoft about the functionality.

I find the UI not very intuitive, because you have to click on the underlined piece of code, only then a bubble appears at the beginning of the line where suppress menu is available:

Another place where the menu is available is Error List:

How do I fix SCS0028?

1 Answers1