C#-CWE-502

Deserialization of untrusted data may lead to remote code execution or arbitrary object instantiation (CWE-502)

Required inputs: CSharpAST

This rule detects **deserialization of untrusted data (CWE-502)**. The simplest and most common mistake is allowing attacker-controlled type metadata when using Json.NET. Vulnerable example (attacker can control `$type` and force instantiation of arbitrary types):

using Newtonsoft.Json;

public static object DangerousJsonDeserialize(string json)
{
    var settings = new JsonSerializerSettings
    {
        TypeNameHandling = TypeNameHandling.Auto // <- dangerous for untrusted JSON
    };
    return JsonConvert.DeserializeObject(json, settings);
}

Simple safe alternative: deserialize to a concrete DTO (do not honor `$type`) or disable `TypeNameHandling`:

public class MyDto { public string Name { get; set; } }

public static MyDto SafeJsonDeserialize(string json)
{
    return JsonConvert.DeserializeObject(json);
}

Keep it simple: **don't accept `$type` from untrusted JSON**; if you need polymorphism, use a strict whitelist/binder or a safe factory.

Possible Messages

Key	Text	Severity	Disabled
tainted_activator	Unsafe type instantiation from untrusted input: avoid Type.GetType/Activator.CreateInstance on external data.	None	False
tainted_json	TypeNameHandling.Auto is not allowed. Use concrete types.	None	False

Options

• This rule shares the following common options: excludes, includes, justification_checker, post_processing, provider, severity

• The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

• This rule has no individual options.