system.net.http.formatting.dll veracode finding : Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE ID 470)(1 flaw)

[mtoha2013]

dear Team,

This dll is having issue found by veracode scan..

Can you help to make updated release, to solve this issue?

I can describe you some information of the finding:

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE ID 470)(1flaw)
Description
A call uses reflection in an unsafe manner. An attacker can specify the class name to be instantiated, which may create
unexpected control flow paths through the application. Depending on how reflection is being used, the attack vector
may allow the attacker to bypass security checks or otherwise cause the application to behave in an unexpected
manner. Even if the object does not implement the specified interface and a ClassCastException is thrown, the
constructor of the untrusted class name will have already executed.

Recommendations
Validate the class name against a combination of white and black lists to ensure that only expected behavior is
produced.

Instances found via Static Scan
Flaw Id : 804
Module # : -
Class # : 4
Module : system.net.http.formatting.dll
Location : object GetDefaultValueForType(System.Type) 91%

[mkArtakMSFT]

Thanks for contacting us. Can you please share more context about which specific call you believe is problematic?
Because looking at the API it's accepting a Type instance, not a user-specified string to instantiate type instance from, so ....

We'll wait for more info from you on this.