5

I have the following C# code which is getting a "high" error from Checkmarx. I can't see anything wrong with it.

var dataDirectoryPath = AppDomain.CurrentDomain.GetData("DataDirectory").ToString(); 
var json = File.ReadAllText($"{dataDirectoryPath}{Path.DirectorySeparatorChar}somefile.json");

var settings = new
    JsonSerializerSettings{TypeNameHandling=TypeNameHandling.None};     
var targetPathSettings = JsonConvert.DeserializeObject<List<TargetPathSetting>>(json, settings);

It gives this error:

The serialized object ReadAllText processed in xxx in the file yyy is deserialized by DeserializeObject in the file zzz

The C# code is as follows:

public class TargetPathSetting
{
    public string PathSettingName { get; set; }
    public PathSetting PathSetting { get; set; }
}


public class PathSetting
{
    public string BaseUrl { get; set; }
    public string ApplicationIdUri { get; set; }
}

I can't see that anything that is ever in the file is going to cause any sort of problem, especially with the TypeNameHandling.None setting.

Rob Sedgwick
  • 4,342
  • 6
  • 50
  • 87

1 Answers1

1

The problem is with the standard Checkmarx query for c #. In this case, Checkmarx does not recognize the correction of this code. To fix it you should use CxAudit and modify this query.

Andrew Stefaniak
  • 11
  • 1
  • 5
    Please [edit] this answer to explain how to modify the query and possibly also explaiin how to use CxAudit. – AdrianHHH Oct 11 '19 at 08:41
  • CXAudit is an product add-ons of Checkmarx. Check Checkmarx WIKI for use and more. But this is a tricky things to do, if you don't know how to – SPoint Nov 22 '19 at 10:59