diff --git a/src/Common/tests/TestUtilities/BinarySerialization.cs b/src/Common/tests/TestUtilities/BinarySerialization.cs index 8aa82e3d8db..167c15bfafd 100644 --- a/src/Common/tests/TestUtilities/BinarySerialization.cs +++ b/src/Common/tests/TestUtilities/BinarySerialization.cs @@ -68,14 +68,17 @@ static object FromByteArray(byte[] raw, FormatterAssemblyStyle assemblyStyle = FormatterAssemblyStyle.Simple) { #pragma warning disable SYSLIB0011 // Type or member is obsolete - BinaryFormatter binaryFormatter = new() + // cs/binary-formatter-without-binder + BinaryFormatter binaryFormatter = new() // CodeQL [SM04191] : Safe use because the deserialization process is performed on trusted data and the types are controlled and validated. { AssemblyFormat = assemblyStyle }; #pragma warning restore SYSLIB0011 // Type or member is obsolete using MemoryStream serializedStream = new(raw); - return binaryFormatter.Deserialize(serializedStream); + + // cs/dangerous-binary-deserialization + return binaryFormatter.Deserialize(serializedStream); // CodeQL[SM03722] : Testing legacy feature. This is a safe use of BinaryFormatter because the data is trusted and the types are controlled and validated. } } @@ -89,7 +92,8 @@ static byte[] ToByteArray(object obj, FormatterAssemblyStyle assemblyStyle = FormatterAssemblyStyle.Simple) { #pragma warning disable SYSLIB0011 // Type or member is obsolete - BinaryFormatter binaryFormatter = new() + // cs/binary-formatter-without-binder + BinaryFormatter binaryFormatter = new() // CodeQL [SM04191]: Safe use because the deserialization process is performed on trusted data and the types are controlled and validated. { AssemblyFormat = assemblyStyle }; diff --git a/src/System.Windows.Forms.Primitives/tests/UnitTests/System/Windows/Forms/BinaryFormat/BinaryFormatWriterTests.cs b/src/System.Windows.Forms.Primitives/tests/UnitTests/System/Windows/Forms/BinaryFormat/BinaryFormatWriterTests.cs index 11ce49a0cbd..3115e32659d 100644 --- a/src/System.Windows.Forms.Primitives/tests/UnitTests/System/Windows/Forms/BinaryFormat/BinaryFormatWriterTests.cs +++ b/src/System.Windows.Forms.Primitives/tests/UnitTests/System/Windows/Forms/BinaryFormat/BinaryFormatWriterTests.cs @@ -23,7 +23,9 @@ public void BinaryFormatWriter_WriteString(string testString) #pragma warning disable SYSLIB0011 // Type or member is obsolete BinaryFormatter formatter = new(); #pragma warning restore - object deserialized = formatter.Deserialize(stream); + + // cs/dangerous-binary-deserialization + object deserialized = formatter.Deserialize(stream); // CodeQL [SM03722] : Testing legacy feature. This is a safe use of BinaryFormatter because the data is trusted and the types are controlled and validated. deserialized.Should().Be(testString); } @@ -38,9 +40,12 @@ public void BinaryFormatWriter_TryWriteObject_SupportedObjects_BinaryFormatterRe using BinaryFormatterScope formatterScope = new(enable: true); #pragma warning disable SYSLIB0011 // Type or member is obsolete - BinaryFormatter formatter = new(); + // cs/binary-formatter-without-binder + BinaryFormatter formatter = new(); // CodeQL [SM04191] : This is a test. Safe use because the deserialization process is performed on trusted data and the types are controlled and validated. #pragma warning restore SYSLIB0011 // Type or member is obsolete - object deserialized = formatter.Deserialize(stream); + + // cs/dangerous-binary-deserialization + object deserialized = formatter.Deserialize(stream); // CodeQL [SM03722] : Testing legacy feature. This is a safe use of BinaryFormatter because the data is trusted and the types are controlled and validated. if (value is Hashtable hashtable) { diff --git a/src/System.Windows.Forms.Primitives/tests/UnitTests/System/Windows/Forms/BinaryFormat/HashTableTests.cs b/src/System.Windows.Forms.Primitives/tests/UnitTests/System/Windows/Forms/BinaryFormat/HashTableTests.cs index e8da3e010b1..80ac1731dfd 100644 --- a/src/System.Windows.Forms.Primitives/tests/UnitTests/System/Windows/Forms/BinaryFormat/HashTableTests.cs +++ b/src/System.Windows.Forms.Primitives/tests/UnitTests/System/Windows/Forms/BinaryFormat/HashTableTests.cs @@ -117,8 +117,11 @@ public void BinaryFormatWriter_WriteHashtables(Hashtable hashtable) using BinaryFormatterScope formatterScope = new(enable: true); #pragma warning disable SYSLIB0011 // Type or member is obsolete - BinaryFormatter formatter = new(); - Hashtable deserialized = (Hashtable)formatter.Deserialize(stream); + // cs/binary-formatter-without-binder + BinaryFormatter formatter = new(); // CodeQL [SM04191] : This is a test. Safe use because the deserialization process is performed on trusted data and the types are controlled and validated. + + // cs/dangerous-binary-deserialization + Hashtable deserialized = (Hashtable)formatter.Deserialize(stream); // CodeQL [SM03722] : Testing legacy feature. This is a safe use of BinaryFormatter because the data is trusted and the types are controlled and validated. #pragma warning restore SYSLIB0011 deserialized.Count.Should().Be(hashtable.Count); diff --git a/src/System.Windows.Forms.Primitives/tests/UnitTests/System/Windows/Forms/BinaryFormat/ListTests.cs b/src/System.Windows.Forms.Primitives/tests/UnitTests/System/Windows/Forms/BinaryFormat/ListTests.cs index 6ca241ddaf7..db0457e08a6 100644 --- a/src/System.Windows.Forms.Primitives/tests/UnitTests/System/Windows/Forms/BinaryFormat/ListTests.cs +++ b/src/System.Windows.Forms.Primitives/tests/UnitTests/System/Windows/Forms/BinaryFormat/ListTests.cs @@ -172,8 +172,10 @@ public void BinaryFormatWriter_TryWritePrimitiveList(IList list) using BinaryFormatterScope formatterScope = new(enable: true); #pragma warning disable SYSLIB0011 // Type or member is obsolete - BinaryFormatter formatter = new(); - IList deserialized = (IList)formatter.Deserialize(stream); + // cs/binary-formatter-without-binder + BinaryFormatter formatter = new(); // CodeQL [SM04191] : This is a test. Safe use because the deserialization process is performed on trusted data and the types are controlled and validated. + // cs/dangerous-binary-deserialization + IList deserialized = (IList)formatter.Deserialize(stream); // CodeQL[SM02229] : Testing legacy feature. This is a safe use of BinaryFormatter because the data is trusted and the types are controlled and validated. #pragma warning restore SYSLIB0011 deserialized.Should().BeEquivalentTo(list); diff --git a/src/System.Windows.Forms.Primitives/tests/UnitTests/System/Windows/Forms/BinaryFormat/PrimitiveTypeTests.cs b/src/System.Windows.Forms.Primitives/tests/UnitTests/System/Windows/Forms/BinaryFormat/PrimitiveTypeTests.cs index 2548a9c368f..bc926c3ae2b 100644 --- a/src/System.Windows.Forms.Primitives/tests/UnitTests/System/Windows/Forms/BinaryFormat/PrimitiveTypeTests.cs +++ b/src/System.Windows.Forms.Primitives/tests/UnitTests/System/Windows/Forms/BinaryFormat/PrimitiveTypeTests.cs @@ -100,9 +100,14 @@ public void BinaryFormatWriter_WritePrimitive(object value) using BinaryFormatterScope formatterScope = new(enable: true); #pragma warning disable SYSLIB0011 // Type or member is obsolete - BinaryFormatter formatter = new(); + + // cs/binary-formatter-without-binder + BinaryFormatter formatter = new(); // CodeQL [SM04191] : This is a test. Safe use because the deserialization process is performed on trusted data and the types are controlled and validated. + #pragma warning restore SYSLIB0011 // Type or member is obsolete - object deserialized = formatter.Deserialize(stream); + + // cs/dangerous-binary-deserialization + object deserialized = formatter.Deserialize(stream); // CodeQL [SM03722] : Testing legacy feature. This is a safe use of BinaryFormatter because the data is trusted and the types are controlled and validated. deserialized.Should().Be(value); } diff --git a/src/System.Windows.Forms/tests/InteropTests/NativeTests/testhelpers.h b/src/System.Windows.Forms/tests/InteropTests/NativeTests/testhelpers.h index 2d6316aee80..4e71f0338f4 100644 --- a/src/System.Windows.Forms/tests/InteropTests/NativeTests/testhelpers.h +++ b/src/System.Windows.Forms/tests/InteropTests/NativeTests/testhelpers.h @@ -32,7 +32,8 @@ std::wstring format(const wchar_t* format, Args... args) int length = std::swprintf(nullptr, 0, format, args...); // If this fails, let the program crash. wchar_t* buf = new wchar_t[length + 1]; - std::swprintf(buf, length + 1, format, args...); + // cpp/non-constant-format + std::swprintf(buf, length + 1, format, args...); // CodeQL [SM01734] : This is a test code and the format string is trusted. std::wstring str(buf); delete[] buf; diff --git a/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/AxHost.PropertyBagStreamTests.cs b/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/AxHost.PropertyBagStreamTests.cs index 63c16195be6..0a92c4373e0 100644 --- a/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/AxHost.PropertyBagStreamTests.cs +++ b/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/AxHost.PropertyBagStreamTests.cs @@ -14,10 +14,12 @@ public void PropertyBagStream_WriteReadRoundTrip_FormatterEnabled() { using BinaryFormatterScope formatterScope = new(enable: true); AxHost.PropertyBagStream bag = new(); - HRESULT hr = bag.Write("Integer", (VARIANT)42); + // cs/deserialization-unexpected-subtypes + HRESULT hr = bag.Write("Integer", (VARIANT)42); // CodeQL[SM02229] : Testing legacy feature. This is a safe use of VARIANT because the data is trusted and the types are controlled and validated. Assert.True(hr.Succeeded); NameClass obj = new() { Name = "Hamlet" }; - hr = bag.Write("Object", VARIANT.FromObject(obj)); + // cs/deserialization-unexpected-subtypes + hr = bag.Write("Object", VARIANT.FromObject(obj)); // CodeQL[SM02229] : Testing legacy feature. This is a safe use of VARIANT because the data is trusted and the types are controlled and validated. Assert.True(hr.Succeeded); using MemoryStream stream = new(); @@ -43,7 +45,9 @@ public void PropertyBagStream_WriteReadRoundTrip_FormatterDisabled() { using BinaryFormatterScope formatterScope = new(enable: false); AxHost.PropertyBagStream bag = new(); - HRESULT hr = bag.Write("Integer", (VARIANT)42); + + // cs/deserialization-unexpected-subtypes + HRESULT hr = bag.Write("Integer", (VARIANT)42); // CodeQL[SM02229] : Testing legacy feature. This is a safe use of VARIANT because the data is trusted and the types are controlled and validated. Assert.True(hr.Succeeded); NameClass obj = new() { Name = "Hamlet" }; hr = bag.Write("Object", VARIANT.FromObject(obj)); @@ -65,7 +69,8 @@ public void PropertyBagStream_WriteReadRoundTrip_Primitives_FormatterDisabled(ob Marshal.GetNativeVariantForObject(value, (nint)(void*)&variant); string name = value.GetType().FullName!; - HRESULT hr = bag.Write(value.GetType().FullName!, variant); + // cs/deserialization-unexpected-subtypes + HRESULT hr = bag.Write(value.GetType().FullName!, variant); // CodeQL[SM02229] : Testing legacy feature. This is a safe use of VARIANT because the data is trusted and the types are controlled and validated. Assert.True(hr.Succeeded); using MemoryStream stream = new(); diff --git a/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/BinaryFormat/WinFormsBinaryFormattedObjectTests.cs b/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/BinaryFormat/WinFormsBinaryFormattedObjectTests.cs index da1263ca845..e5825b0ada4 100644 --- a/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/BinaryFormat/WinFormsBinaryFormattedObjectTests.cs +++ b/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/BinaryFormat/WinFormsBinaryFormattedObjectTests.cs @@ -55,12 +55,14 @@ public void BinaryFormattedObject_Bitmap_FromWinFormsBinaryFormatWriter() using BinaryFormatterScope formatterScope = new(enable: true); #pragma warning disable SYSLIB0011 // Type or member is obsolete - BinaryFormatter binaryFormat = new(); + // cs/binary-formatter-without-binder + BinaryFormatter binaryFormat = new(); // CodeQL [SM04191] This is a test deserialization process is performed on trusted data and the types are controlled and validated. #pragma warning restore SYSLIB0011 - using Bitmap deserialized = binaryFormat.Deserialize(stream).Should().BeOfType().Which; + // cs/dangerous-binary-deserialization + using Bitmap deserialized = binaryFormat.Deserialize(stream).Should().BeOfType().Which; // CodeQL [SM03722] : Testing legacy feature. This is a safe use of BinaryFormatter because the data is trusted and the types are controlled and validated. deserialized.Size.Should().Be(bitmap.Size); - } + } [Fact] public void BinaryFormattedObject_ImageListStreamer_FromBinaryFormatter() diff --git a/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/DataObject_BitmapBinderTests.cs b/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/DataObject_BitmapBinderTests.cs index 84a656e281c..895f5db7093 100644 --- a/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/DataObject_BitmapBinderTests.cs +++ b/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/DataObject_BitmapBinderTests.cs @@ -42,7 +42,8 @@ public void BitmapBinder_BindToType_AllowedSerializationTypes(object value) { using MemoryStream stream = new(); #pragma warning disable SYSLIB0011 // Type or member is obsolete - BinaryFormatter formatter = new(); + // cs/binary-formatter-without-binder + BinaryFormatter formatter = new(); // CodeQL [SM04191] This is a test. Safe because the deserialization process is performed on trusted data and the types are controlled and validated. #pragma warning restore formatter.Serialize(stream, value); Assert.True(stream.Length > 0); @@ -54,7 +55,7 @@ public void BitmapBinder_BindToType_AllowedSerializationTypes(object value) }; // cs/dangerous-binary-deserialization - object deserialized = formatter.Deserialize(stream); // CodeQL [SM03722] : Safe use because input stream is controlled contains strings and Bitmap which is instantiated by a binder. + object deserialized = formatter.Deserialize(stream); // CodeQL [SM03722] : Testing legacy feature. Safe use because input stream is controlled contains strings and Bitmap which is instantiated by a binder. Assert.NotNull(deserialized); if (value is not Bitmap) @@ -94,7 +95,8 @@ public void BitmapBinder_BindToType_DisallowedSerializationTypes(object value) using BinaryFormatterScope formatterScope = new(enable: true); using MemoryStream stream = new(); #pragma warning disable SYSLIB0011 // Type or member is obsolete - BinaryFormatter formatter = new(); + // cs/binary-formatter-without-binder + BinaryFormatter formatter = new(); // CodeQL [SM04191] : This is a test. Safe use because the deserialization process is performed on trusted data and the types are controlled and validated. #pragma warning restore SYSLIB0011 formatter.Serialize(stream, value); Assert.True(stream.Length > 0); diff --git a/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/ImageListTests.cs b/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/ImageListTests.cs index d42cf44e6d1..19f2aee6a4f 100644 --- a/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/ImageListTests.cs +++ b/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/ImageListTests.cs @@ -441,11 +441,12 @@ private static T RoundtripSerialize(T source) using BinaryFormatterScope formatterScope = new(enable: true); using MemoryStream stream = new(); #pragma warning disable SYSLIB0011 // Type or member is obsolete - BinaryFormatter formatter = new(); + // cs/binary-formatter-without-binder + BinaryFormatter formatter = new(); // CodeQL [SM04191] : This is a test. Safe use because the deserialization process is performed on trusted data and the types are controlled and validated. formatter.Serialize(stream, source); stream.Position = 0; - // cs/deserialization-unexpected-subtypes - return (T)formatter.Deserialize(stream); // CodeQL [SM02229] Testing legacy features: we are deserializing stream with controlled content. + // cs/dangerous-binary-deserialization, cs/deserialization-unexpected-subtypes + return (T)formatter.Deserialize(stream); // CodeQL [SM03722, SM02229] : Testing legacy feature. This is a safe use of BinaryFormatter because the data is trusted and the types are controlled and validated. #pragma warning restore SYSLIB0011 // Type or member is obsolete } diff --git a/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/Layout/TableLayoutSettingsTests.cs b/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/Layout/TableLayoutSettingsTests.cs index 89f260492d1..d87a730b7c6 100644 --- a/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/Layout/TableLayoutSettingsTests.cs +++ b/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/Layout/TableLayoutSettingsTests.cs @@ -1785,11 +1785,13 @@ public void TableLayoutSettings_Serialize_Deserialize_Success() using (MemoryStream stream = new()) { #pragma warning disable SYSLIB0011 // Type or member is obsolete - BinaryFormatter formatter = new(); + // cs/binary-formatter-without-binder + BinaryFormatter formatter = new(); // CodeQL [SM04191] : This is a test. Safe use because the deserialization process is performed on trusted data and the types are controlled and validated. formatter.Serialize(stream, settings); stream.Seek(0, SeekOrigin.Begin); - TableLayoutSettings result = Assert.IsType(formatter.Deserialize(stream)); + // cs/dangerous-binary-deserialization + TableLayoutSettings result = Assert.IsType(formatter.Deserialize(stream)); // CodeQL [SM03722] : Testing legacy feature. This is a safe use of BinaryFormatter because the data is trusted and the types are controlled and validated. #pragma warning restore SYSLIB0011 // Type or member is obsolete Assert.Equal(columnStyle.SizeType, ((ColumnStyle)Assert.Single(result.ColumnStyles)).SizeType); Assert.Equal(columnStyle.Width, ((ColumnStyle)Assert.Single(result.ColumnStyles)).Width); @@ -1815,11 +1817,13 @@ public void TableLayoutSettings_Serialize_InvalidStringConverter_DeserializeThro using (MemoryStream stream = new()) { #pragma warning disable SYSLIB0011 // Type or member is obsolete - BinaryFormatter formatter = new(); + // cs/binary-formatter-without-binder + BinaryFormatter formatter = new(); // CodeQL [SM04191] : This is a test. Safe use because the deserialization process is performed on trusted data and the types are controlled and validated. formatter.Serialize(stream, settings); stream.Seek(0, SeekOrigin.Begin); - Assert.Throws(() => formatter.Deserialize(stream)); + // cs/dangerous-binary-deserialization + Assert.Throws(() => formatter.Deserialize(stream)); // CodeQL [SM03722] : Testing legacy feature. This is a safe use of BinaryFormatter because the data is trusted and the types are controlled and validated. #pragma warning restore SYSLIB0011 // Type or member is obsolete } } @@ -1836,12 +1840,14 @@ public void TableLayoutSettings_Deserialize_InvalidConverterResult_Success(Type using (MemoryStream stream = new()) { #pragma warning disable SYSLIB0011 // Type or member is obsolete - BinaryFormatter formatter = new(); + // cs/binary-formatter-without-binder + BinaryFormatter formatter = new(); // CodeQL [SM04191] : This is a test. Safe use because the deserialization process is performed on trusted data and the types are controlled and validated. formatter.Serialize(stream, settings); stream.Seek(0, SeekOrigin.Begin); - TableLayoutSettings result = Assert.IsType(formatter.Deserialize(stream)); + // cs/dangerous-binary-deserialization + TableLayoutSettings result = Assert.IsType(formatter.Deserialize(stream)); // CodeQL [SM03722] : Testing legacy feature. This is a safe use of BinaryFormatter because the data is trusted and the types are controlled and validated. #pragma warning restore SYSLIB0011 // Type or member is obsolete Assert.NotNull(result.LayoutEngine); Assert.Same(result.LayoutEngine, result.LayoutEngine); diff --git a/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/ListViewGroupTests.cs b/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/ListViewGroupTests.cs index 7f84941ccda..5bb8d56edf1 100644 --- a/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/ListViewGroupTests.cs +++ b/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/ListViewGroupTests.cs @@ -1334,11 +1334,13 @@ public void ListViewGroup_Serialize_Deserialize_Success(ListViewGroup group) using BinaryFormatterScope formatterScope = new(enable: true); using MemoryStream stream = new(); #pragma warning disable SYSLIB0011 // Type or member is obsolete - BinaryFormatter formatter = new(); + // cs/binary-formatter-without-binder + BinaryFormatter formatter = new(); // CodeQL [SM04191] : This is a test. Safe use because the deserialization process is performed on trusted data and the types are controlled and validated. formatter.Serialize(stream, group); stream.Seek(0, SeekOrigin.Begin); - ListViewGroup result = Assert.IsType(formatter.Deserialize(stream)); + // cs/dangerous-binary-deserialization + ListViewGroup result = Assert.IsType(formatter.Deserialize(stream)); // CodeQL [SM03722] : Deserialization is performed on trusted data and the types are controlled and validated. #pragma warning restore SYSLIB0011 // Type or member is obsolete Assert.Equal(group.Header, result.Header); Assert.Equal(group.HeaderAlignment, result.HeaderAlignment); diff --git a/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/ListViewSubItemTests.cs b/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/ListViewSubItemTests.cs index a03da14366d..e2e3afe5f7a 100644 --- a/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/ListViewSubItemTests.cs +++ b/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/ListViewSubItemTests.cs @@ -580,11 +580,13 @@ public void ListViewSubItem_Serialize_Deserialize_Success(ListViewItem.ListViewS using BinaryFormatterScope formatterScope = new(enable: true); using MemoryStream stream = new(); #pragma warning disable SYSLIB0011 // Type or member is obsolete - BinaryFormatter formatter = new(); + // cs/binary-formatter-without-binder + BinaryFormatter formatter = new(); // CodeQL [SM04191] : This is a test. Safe use because the deserialization process is performed on trusted data and the types are controlled and validated. new BinaryFormatter().Serialize(stream, subItem); stream.Seek(0, SeekOrigin.Begin); - ListViewItem.ListViewSubItem result = Assert.IsType(formatter.Deserialize(stream)); + // cs/dangerous-binary-deserialization + ListViewItem.ListViewSubItem result = Assert.IsType(formatter.Deserialize(stream)); // CodeQL[SM03722] : Testing legacy feature. This is a safe use of BinaryFormatter because the data is trusted and the types are controlled and validated. #pragma warning restore SYSLIB0011 // Type or member is obsolete Assert.Equal(subItem.BackColor, result.BackColor); Assert.Equal(subItem.Font, result.Font); diff --git a/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/OwnerDrawPropertyBagTests.cs b/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/OwnerDrawPropertyBagTests.cs index f3dc6556672..d679dcb8287 100644 --- a/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/OwnerDrawPropertyBagTests.cs +++ b/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/OwnerDrawPropertyBagTests.cs @@ -114,11 +114,13 @@ public void OwnerDrawPropertyBag_Serialize_Deserialize_Success() using (MemoryStream stream = new()) { #pragma warning disable SYSLIB0011 // Type or member is obsolete - BinaryFormatter formatter = new(); + // cs/binary-formatter-without-binder + BinaryFormatter formatter = new(); // CodeQL [SM04191] : This is a test. Safe use because the deserialization process is performed on trusted data and the types are controlled and validated. formatter.Serialize(stream, original); stream.Position = 0; - OwnerDrawPropertyBag bag = Assert.IsType(formatter.Deserialize(stream)); + // cs/dangerous-binary-deserialization + OwnerDrawPropertyBag bag = Assert.IsType(formatter.Deserialize(stream)); // CodeQL[SM03722] : Testing legacy feature. This is a safe use of BinaryFormatter because the data is trusted and the types are controlled and validated. #pragma warning restore SYSLIB0011 // Type or member is obsolete Assert.Equal(Color.Blue, bag.BackColor); Assert.Equal(SystemFonts.MenuFont.Name, bag.Font.Name);