N
NeelAK
Guest
Hi,
I have a generic deserialization code at my utility class. Below is the code sample. When we performed security scan on our code, we got the 'Deserialization of Untrusted Data' vulnerability at Line 3. The deserialization of xml file is seems to be pretty common. I am not sure how do we fix this issue. Can anyone guide me on this?
public static T DeserializeXmlFile<T>(string xmlFilePath)
{
try
{
XmlSerializer xs= GetSerializer(typeof(T)); //Line#1
FileStream fs= new FileStream(xmlFilePath, FileMode.Open); //Line#2
var result = (T)xs.Deserialize(fs); //Line #3
fs.Close(); //Line#4
return result; //Line#5
}
catch (Exception ex)
{
LogException("Deserialization exception");
return default(T);
}
}
Regards,
NAK
Continue reading...
I have a generic deserialization code at my utility class. Below is the code sample. When we performed security scan on our code, we got the 'Deserialization of Untrusted Data' vulnerability at Line 3. The deserialization of xml file is seems to be pretty common. I am not sure how do we fix this issue. Can anyone guide me on this?
public static T DeserializeXmlFile<T>(string xmlFilePath)
{
try
{
XmlSerializer xs= GetSerializer(typeof(T)); //Line#1
FileStream fs= new FileStream(xmlFilePath, FileMode.Open); //Line#2
var result = (T)xs.Deserialize(fs); //Line #3
fs.Close(); //Line#4
return result; //Line#5
}
catch (Exception ex)
{
LogException("Deserialization exception");
return default(T);
}
}
Regards,
NAK
Continue reading...