//This will evaluate code created with an inline constructor to assigned properties for a JsonSerializerSettings
//e.g Deserialize(payload, new JsonSerializerSettings(){TypeNameHandling = TypeNameHandling.Auto})
//Will evaluate if the TypeNameHandling.Auto has been assigned which will make code vulnerable
//Then evaluate if a type with the ISerializationBinder has been assigned to settings which will mitigate the risk if TypeNameHandling.Auto assigned
private static bool VulnerableFieldConstructor(ExpressionSyntax settingsArgument, SyntaxNodeAnalysisContext context)
{
//Inline constructor
var isVulnerable = false;
if (settingsArgument != null && settingsArgument.IsKind(SyntaxKind.IdentifierName))
{
var declaration = context.SemanticModel.GetSymbolInfo(settingsArgument).Symbol;
var variableType = StaticAnalysisUtilites.GetTypeFromDeclaration(declaration);
if (variableType.Name.Equals(_serializerSettings))
{
var location = (declaration as IFieldSymbol).Locations.First();
var declearationNode = StaticAnalysisUtilites.FindDeclearationNode(location);
var hasAutoTypeSetting = StaticAnalysisUtilites.IsAssignedValue(declearationNode, _typeName, _vulnerabletypeNameSettings);
var hasSerialBinder = StaticAnalysisUtilites.IsAssignedInterface(declearationNode, context, _binderInterface);
isVulnerable = hasAutoTypeSetting && !hasSerialBinder;
}
}
return(isVulnerable);
}
