//This will evaluate code created with an inline constructor to assigned properties for a JsonSerializerSettings //e.g Deserialize(payload, new JsonSerializerSettings(){TypeNameHandling = TypeNameHandling.Auto}) //Will evaluate if the TypeNameHandling.Auto has been assigned which will make code vulnerable //Then evaluate if a type with the ISerializationBinder has been assigned to settings which will mitigate the risk if TypeNameHandling.Auto assigned private static bool VulnerableFieldConstructor(ExpressionSyntax settingsArgument, SyntaxNodeAnalysisContext context) { //Inline constructor var isVulnerable = false; if (settingsArgument != null && settingsArgument.IsKind(SyntaxKind.IdentifierName)) { var declaration = context.SemanticModel.GetSymbolInfo(settingsArgument).Symbol; var variableType = StaticAnalysisUtilites.GetTypeFromDeclaration(declaration); if (variableType.Name.Equals(_serializerSettings)) { var location = (declaration as IFieldSymbol).Locations.First(); var declearationNode = StaticAnalysisUtilites.FindDeclearationNode(location); var hasAutoTypeSetting = StaticAnalysisUtilites.IsAssignedValue(declearationNode, _typeName, _vulnerabletypeNameSettings); var hasSerialBinder = StaticAnalysisUtilites.IsAssignedInterface(declearationNode, context, _binderInterface); isVulnerable = hasAutoTypeSetting && !hasSerialBinder; } } return(isVulnerable); }