ReadLine caught in security scan as deserialization of untrusted data

  • Thread starter Thread starter MLAMHA
  • Start date Start date
M

MLAMHA

Guest
Need help in identifying the issue..




public static String LoadTextFile(String path)
{
StringBuilder sb = new StringBuilder();
using (StreamReader reader = new FileInfo(path).OpenText())
{
try
{
String text = null;
do
{
text = reader.ReadLine();
sb.Append(text);
} while (text != null);
}
catch (Exception ex)
{
throw ex;
}

}

return sb.ToString();
}

Calling Method:





private MessageConfig LoadConfig()
{
string xml = FileUtility.LoadTextFile(Environment.CurrentDirectory + @"\test.config");
XmlSerializer ser = new XmlSerializer((typeof(MessageConfig )));
MemoryStream ms = new MemoryStream((new UTF8Encoding()).GetBytes(xml));
return (MessageConfig )ser.Deserialize(ms);
}


Violation Message:

The serialized object ReadLine processed in LoadTextFile in the file Test\FileUtility.cs at line 13 is deserialized by Deserialize in the file Test\Simulator.cs at line 368

Though the XmlSerializer deserializing the memory stream to the a predefined type, ReadLine is caught in code scans with above violation. Please suggest any solution..

Continue reading...
 

Similar threads

N
Fix for Deserialization of Untrusted Data
Replies
0
Views
68
NeelAK
N
M
How to show one string of row at a time in a textbox
Replies
0
Views
117
MorenainHanoi
M
M
ASP.Net C# Response.Redirect() method all the way cannot work somehow
Replies
0
Views
63
moonriver0210
M
EDN Admin
HEADER DETAIL AND FOOTER IN C#
Replies
0
Views
106
EDN Admin
EDN Admin
EDN Admin
Problem In Logging to The rolling Flat file Listener for Microsoft Enterprise Library
Replies
0
Views
113
EDN Admin
EDN Admin
Back
Top