From 89bd84bb5a56ec84e5397b47bac038ad9c75370e Mon Sep 17 00:00:00 2001 From: Sviatoslav Zubar Date: Mon, 16 Dec 2024 20:18:06 +0100 Subject: [PATCH 01/13] Update untrusted-data-class-note.md --- includes/untrusted-data-class-note.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/untrusted-data-class-note.md b/includes/untrusted-data-class-note.md index 334a62cba7b..a893a59f2b4 100644 --- a/includes/untrusted-data-class-note.md +++ b/includes/untrusted-data-class-note.md @@ -1,2 +1,2 @@ > [!IMPORTANT] -> Calling methods from this class with untrusted data is a security risk. Call the methods from this class only with trusted data. For more information, see [Validate All Inputs](https://owasp.org/www-project-proactive-controls/v3/en/c5-validate-inputs). +> Calling methods from this class with untrusted data is a security risk. Call the methods from this class only with trusted data. For more information, see [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). From 9c004c2eef32cffb8788d203b343075182edb466 Mon Sep 17 00:00:00 2001 From: Sviatoslav Zubar Date: Mon, 16 Dec 2024 20:18:27 +0100 Subject: [PATCH 02/13] Update untrusted-data-instance-note.md --- includes/untrusted-data-instance-note.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/untrusted-data-instance-note.md b/includes/untrusted-data-instance-note.md index 95383087cd0..44ab7776a9c 100644 --- a/includes/untrusted-data-instance-note.md +++ b/includes/untrusted-data-instance-note.md @@ -1,2 +1,2 @@ > [!IMPORTANT] -> Using an instance of this object with untrusted data is a security risk. Use this object only with trusted data. For more information, see [Validate All Inputs](https://owasp.org/www-project-proactive-controls/v3/en/c5-validate-inputs). +> Using an instance of this object with untrusted data is a security risk. Use this object only with trusted data. For more information, see [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). From df80c1c828d17d730b3dfcd941630c1fefcf4625 Mon Sep 17 00:00:00 2001 From: Sviatoslav Zubar Date: Mon, 16 Dec 2024 20:18:46 +0100 Subject: [PATCH 03/13] Update untrusted-data-interface-note.md --- includes/untrusted-data-interface-note.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/untrusted-data-interface-note.md b/includes/untrusted-data-interface-note.md index 023792867a5..ceb5f5c5e76 100644 --- a/includes/untrusted-data-interface-note.md +++ b/includes/untrusted-data-interface-note.md @@ -1,2 +1,2 @@ > [!IMPORTANT] -> Calling methods from classes that implement this interface with untrusted data is a security risk. Call the methods from classes that implement this interface only with trusted data. For more information, see [Validate All Inputs](https://owasp.org/www-project-proactive-controls/v3/en/c5-validate-inputs). +> Calling methods from classes that implement this interface with untrusted data is a security risk. Call the methods from classes that implement this interface only with trusted data. For more information, see [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). From 1999211eb84a88b3ea86637704d6fb846d194987 Mon Sep 17 00:00:00 2001 From: Sviatoslav Zubar Date: Mon, 16 Dec 2024 20:19:07 +0100 Subject: [PATCH 04/13] Update untrusted-data-method-note.md --- includes/untrusted-data-method-note.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/untrusted-data-method-note.md b/includes/untrusted-data-method-note.md index 70f76f0a463..34f155ddcff 100644 --- a/includes/untrusted-data-method-note.md +++ b/includes/untrusted-data-method-note.md @@ -1,2 +1,2 @@ > [!IMPORTANT] -> Calling this method with untrusted data is a security risk. Call this method only with trusted data. For more information, see [Validate All Inputs](https://owasp.org/www-project-proactive-controls/v3/en/c5-validate-inputs). +> Calling this method with untrusted data is a security risk. Call this method only with trusted data. For more information, see [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). From c174483b1bf85f14ee773f64185a8b46733f8869 Mon Sep 17 00:00:00 2001 From: Sviatoslav Zubar Date: Mon, 16 Dec 2024 20:20:36 +0100 Subject: [PATCH 05/13] Update JavaScriptSerializer.xml --- xml/System.Web.Script.Serialization/JavaScriptSerializer.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xml/System.Web.Script.Serialization/JavaScriptSerializer.xml b/xml/System.Web.Script.Serialization/JavaScriptSerializer.xml index 19fc16c589b..cfb65510c0b 100644 --- a/xml/System.Web.Script.Serialization/JavaScriptSerializer.xml +++ b/xml/System.Web.Script.Serialization/JavaScriptSerializer.xml @@ -145,7 +145,7 @@ To serialize an object, use the that is used by the asynchronous communication layer for invoking Web services from client script uses a special type resolver. This type resolver restricts the types that can be deserialized to those defined in the Web service's method signature, or the ones that have the applied. You cannot modify this built-in type resolver programmatically. > [!IMPORTANT] -> Using an instance of this object initialized with a custom type-resolver can present a security risk. Use this object only with trusted data. For more information, see [Validate All Inputs](https://owasp.org/www-project-proactive-controls/v3/en/c5-validate-inputs). +> Using an instance of this object initialized with a custom type-resolver can present a security risk. Use this object only with trusted data. For more information, see [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). ]]> From f9b83a03ca46e723a3704873cf948303ef0a246d Mon Sep 17 00:00:00 2001 From: Sviatoslav Zubar Date: Mon, 16 Dec 2024 20:21:18 +0100 Subject: [PATCH 06/13] Update SoapServerFormatterSink.xml --- .../SoapServerFormatterSink.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xml/System.Runtime.Remoting.Channels/SoapServerFormatterSink.xml b/xml/System.Runtime.Remoting.Channels/SoapServerFormatterSink.xml index b8fed1a161e..98b6f4ddd87 100644 --- a/xml/System.Runtime.Remoting.Channels/SoapServerFormatterSink.xml +++ b/xml/System.Runtime.Remoting.Channels/SoapServerFormatterSink.xml @@ -37,7 +37,7 @@ |`typeFilterLevel`|A string value specifying the level of automatic deserialization a server channel attempts. Supported values are `Low` (the default) and `Full`. For details about deserialization levels, see [Automatic Deserialization in .NET Framework Remoting](https://learn.microsoft.com/previous-versions/dotnet/netframework-4.0/5dxse167(v=vs.100)).

This property is supported only by the .NET Framework version 1.1 on the following platforms: Windows 98, Windows NT 4.0, Windows Millennium Edition, Windows 2000, Windows XP Home Edition, Windows XP Professional, and Windows Server 2003 family.| > [!IMPORTANT] -> Using an instance of this object with untrusted data or across an unsecure channel is a security risk. Use this object only with trusted data and across a secure channel. For more information, see [Validate All Inputs](https://owasp.org/www-project-proactive-controls/v3/en/c5-validate-inputs). +> Using an instance of this object with untrusted data or across an unsecure channel is a security risk. Use this object only with trusted data and across a secure channel. For more information, see [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). ]]> From 5ab953914d2f0d870e3ad2d6b9cd36578f7abf8e Mon Sep 17 00:00:00 2001 From: Sviatoslav Zubar Date: Mon, 16 Dec 2024 20:22:07 +0100 Subject: [PATCH 07/13] Update SoapClientFormatterSink.xml --- .../SoapClientFormatterSink.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xml/System.Runtime.Remoting.Channels/SoapClientFormatterSink.xml b/xml/System.Runtime.Remoting.Channels/SoapClientFormatterSink.xml index af4665496bd..2f5b78ee654 100644 --- a/xml/System.Runtime.Remoting.Channels/SoapClientFormatterSink.xml +++ b/xml/System.Runtime.Remoting.Channels/SoapClientFormatterSink.xml @@ -41,7 +41,7 @@ |`includeVersions`|Specifies whether the formatter will include versioning information. Values are `true` or `false`.| > [!IMPORTANT] -> Using an instance of this object with untrusted data or across an unsecure channel is a security risk. Use this object only with trusted data and across a secure channel. For more information, see [Validate All Inputs](https://owasp.org/www-project-proactive-controls/v3/en/c5-validate-inputs). +> Using an instance of this object with untrusted data or across an unsecure channel is a security risk. Use this object only with trusted data and across a secure channel. For more information, see [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). ]]> From 87556239840ab5e093658e06f845c7227f6816a3 Mon Sep 17 00:00:00 2001 From: Sviatoslav Zubar Date: Mon, 16 Dec 2024 20:22:55 +0100 Subject: [PATCH 08/13] Update BinaryServerFormatterSink.xml --- .../BinaryServerFormatterSink.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xml/System.Runtime.Remoting.Channels/BinaryServerFormatterSink.xml b/xml/System.Runtime.Remoting.Channels/BinaryServerFormatterSink.xml index ff40061a47a..a1f38299cfc 100644 --- a/xml/System.Runtime.Remoting.Channels/BinaryServerFormatterSink.xml +++ b/xml/System.Runtime.Remoting.Channels/BinaryServerFormatterSink.xml @@ -39,7 +39,7 @@ |`typeFilterLevel`|A string value that specifies the level of automatic deserialization that a server channel attempts. Supported values are `Low` (the default) and `Full`. For details about deserialization levels, see [Automatic Deserialization in .NET Framework Remoting](https://learn.microsoft.com/previous-versions/dotnet/netframework-4.0/5dxse167(v=vs.100)).

This property is supported only by the .NET Framework version 1.1 on the following platforms: Windows 98, Windows NT 4.0, Windows Millennium Edition, Windows 2000, Windows XP Home Edition, Windows XP Professional, and Windows Server 2003 family.| > [!IMPORTANT] -> Using an instance of this object with untrusted data or across an unsecure channel is a security risk. Use this object only with trusted data and across a secure channel. For more information, see [Validate All Inputs](https://owasp.org/www-project-proactive-controls/v3/en/c5-validate-inputs). +> Using an instance of this object with untrusted data or across an unsecure channel is a security risk. Use this object only with trusted data and across a secure channel. For more information, see [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). ]]> From 053cdfea410469ae763a881e7c42c1e0d68533b7 Mon Sep 17 00:00:00 2001 From: Sviatoslav Zubar Date: Mon, 16 Dec 2024 20:23:32 +0100 Subject: [PATCH 09/13] Update BinaryClientFormatterSink.xml --- .../BinaryClientFormatterSink.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xml/System.Runtime.Remoting.Channels/BinaryClientFormatterSink.xml b/xml/System.Runtime.Remoting.Channels/BinaryClientFormatterSink.xml index ff69bd8553a..58b5d8afb35 100644 --- a/xml/System.Runtime.Remoting.Channels/BinaryClientFormatterSink.xml +++ b/xml/System.Runtime.Remoting.Channels/BinaryClientFormatterSink.xml @@ -41,7 +41,7 @@ |`includeVersions`|Specifies whether the formatter will include versioning information. Values are `true` or `false`.| > [!IMPORTANT] -> Using an instance of this object with untrusted data or across an unsecure channel is a security risk. Use this object only with trusted data and across a secure channel. For more information, see [Validate All Inputs](https://owasp.org/www-project-proactive-controls/v3/en/c5-validate-inputs). +> Using an instance of this object with untrusted data or across an unsecure channel is a security risk. Use this object only with trusted data and across a secure channel. For more information, see [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). ]]> From 7391d2d9f46c03e45fc1272c6ee2e37996f918d7 Mon Sep 17 00:00:00 2001 From: Sviatoslav Zubar Date: Mon, 16 Dec 2024 20:24:23 +0100 Subject: [PATCH 10/13] Update SoapClientFormatterSinkProvider.xml --- .../SoapClientFormatterSinkProvider.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xml/System.Runtime.Remoting.Channels/SoapClientFormatterSinkProvider.xml b/xml/System.Runtime.Remoting.Channels/SoapClientFormatterSinkProvider.xml index c1bbc8833d9..546e04521ee 100644 --- a/xml/System.Runtime.Remoting.Channels/SoapClientFormatterSinkProvider.xml +++ b/xml/System.Runtime.Remoting.Channels/SoapClientFormatterSinkProvider.xml @@ -41,7 +41,7 @@ |`includeVersions`|Specifies whether the formatter will include versioning information. Values are `true` or `false`.| > [!IMPORTANT] -> Using an instance of this object with untrusted data or across an unsecure channel is a security risk. Use this object only with trusted data and across a secure channel. For more information, see [Validate All Inputs](https://owasp.org/www-project-proactive-controls/v3/en/c5-validate-inputs). +> Using an instance of this object with untrusted data or across an unsecure channel is a security risk. Use this object only with trusted data and across a secure channel. For more information, see [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). ]]> From d9f2637609ccf52dd21b85a46f815dfea9e2e1f1 Mon Sep 17 00:00:00 2001 From: Sviatoslav Zubar Date: Mon, 16 Dec 2024 20:24:57 +0100 Subject: [PATCH 11/13] Update SoapServerFormatterSinkProvider.xml --- .../SoapServerFormatterSinkProvider.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xml/System.Runtime.Remoting.Channels/SoapServerFormatterSinkProvider.xml b/xml/System.Runtime.Remoting.Channels/SoapServerFormatterSinkProvider.xml index 2aa31e9ec23..50a79343df9 100644 --- a/xml/System.Runtime.Remoting.Channels/SoapServerFormatterSinkProvider.xml +++ b/xml/System.Runtime.Remoting.Channels/SoapServerFormatterSinkProvider.xml @@ -43,7 +43,7 @@ |`includeVersions`|Specifies whether the formatter will include versioning information. Values are `true` or `false`.| > [!IMPORTANT] -> Using an instance of this object with untrusted data or across an unsecure channel is a security risk. Use this object only with trusted data and across a secure channel. For more information, see [Validate All Inputs](https://owasp.org/www-project-proactive-controls/v3/en/c5-validate-inputs). +> Using an instance of this object with untrusted data or across an unsecure channel is a security risk. Use this object only with trusted data and across a secure channel. For more information, see [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). ]]> From b36d589baea19dacf868d4fd84f22a0df5ac2685 Mon Sep 17 00:00:00 2001 From: Sviatoslav Zubar Date: Mon, 16 Dec 2024 20:25:28 +0100 Subject: [PATCH 12/13] Update BinaryClientFormatterSinkProvider.xml --- .../BinaryClientFormatterSinkProvider.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xml/System.Runtime.Remoting.Channels/BinaryClientFormatterSinkProvider.xml b/xml/System.Runtime.Remoting.Channels/BinaryClientFormatterSinkProvider.xml index 92d43bb9ee6..7b90f454456 100644 --- a/xml/System.Runtime.Remoting.Channels/BinaryClientFormatterSinkProvider.xml +++ b/xml/System.Runtime.Remoting.Channels/BinaryClientFormatterSinkProvider.xml @@ -41,7 +41,7 @@ |`includeVersions`|Specifies whether the formatter will include versioning information. Values are `true` or `false`.| > [!IMPORTANT] -> Using an instance of this object with untrusted data or across an unsecure channel is a security risk. Use this object only with trusted data and across a secure channel. For more information, see [Validate All Inputs](https://owasp.org/www-project-proactive-controls/v3/en/c5-validate-inputs). +> Using an instance of this object with untrusted data or across an unsecure channel is a security risk. Use this object only with trusted data and across a secure channel. For more information, see [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). ]]> From 7f11c5801b1d54d2538985a690f2809edb0f519e Mon Sep 17 00:00:00 2001 From: Sviatoslav Zubar Date: Mon, 16 Dec 2024 20:26:14 +0100 Subject: [PATCH 13/13] Update BinaryServerFormatterSinkProvider.xml --- .../BinaryServerFormatterSinkProvider.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xml/System.Runtime.Remoting.Channels/BinaryServerFormatterSinkProvider.xml b/xml/System.Runtime.Remoting.Channels/BinaryServerFormatterSinkProvider.xml index 369a3f1bd7c..9b3e525db32 100644 --- a/xml/System.Runtime.Remoting.Channels/BinaryServerFormatterSinkProvider.xml +++ b/xml/System.Runtime.Remoting.Channels/BinaryServerFormatterSinkProvider.xml @@ -43,7 +43,7 @@ |`includeVersions`|Specifies whether the formatter will include versioning information. Values are `true` or `false`.| > [!IMPORTANT] -> Using an instance of this object with untrusted data or across an unsecure channel is a security risk. Use this object only with trusted data and across a secure channel. For more information, see [Validate All Inputs](https://owasp.org/www-project-proactive-controls/v3/en/c5-validate-inputs). +> Using an instance of this object with untrusted data or across an unsecure channel is a security risk. Use this object only with trusted data and across a secure channel. For more information, see [Validate All Inputs](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/). ]]>