rspec/rules/S4834/csharp/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

----
using System.Threading;
using System.Security.Permissions;
using System.Security.Principal;
using System.IdentityModel.Tokens;

class SecurityPrincipalDemo
{
    class MyIdentity : IIdentity // Sensitive, custom IIdentity implementations should be reviewed
    {
        // ...
    }

    class MyPrincipal : IPrincipal // Sensitive, custom IPrincipal implementations should be reviewed
    {
        // ...
    }
    [System.Security.Permissions.PrincipalPermission(SecurityAction.Demand, Role = "Administrators")] // Sensitive. The access restrictions enforced by this attribute should be reviewed.
    static void CheckAdministrator()
    {
        WindowsIdentity MyIdentity = WindowsIdentity.GetCurrent(); // Sensitive
        HttpContext.User = ...; // Sensitive: review all reference (set and get) to System.Web HttpContext.User
        AppDomain domain = AppDomain.CurrentDomain;
        domain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); // Sensitive
        MyIdentity identity = new MyIdentity(); // Sensitive
        MyPrincipal MyPrincipal = new MyPrincipal(MyIdentity); // Sensitive
        Thread.CurrentPrincipal = MyPrincipal; // Sensitive
        domain.SetThreadPrincipal(MyPrincipal); // Sensitive

        // All instantiation of PrincipalPermission should be reviewed.
        PrincipalPermission principalPerm = new PrincipalPermission(null, "Administrators"); // Sensitive
        principalPerm.Demand();

        SecurityTokenHandler handler = ...;
        // Sensitive: this creates an identity.
        ReadOnlyCollection<ClaimsIdentity> identities = handler.ValidateToken(…);
    }

     // Sensitive: review how this function uses the identity and principal.
    void modifyPrincipal(MyIdentity identity, MyPrincipal principal)
    {
        // ...
    }
}
----

include::../see.adoc[]
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`----`
			`using System.Threading;`
			`using System.Security.Permissions;`
			`using System.Security.Principal;`
			`using System.IdentityModel.Tokens;`

			`class SecurityPrincipalDemo`
			`{`
			`class MyIdentity : IIdentity // Sensitive, custom IIdentity implementations should be reviewed`
			`{`
			`// ...`
			`}`

			`class MyPrincipal : IPrincipal // Sensitive, custom IPrincipal implementations should be reviewed`
			`{`
			`// ...`
			`}`
			`[System.Security.Permissions.PrincipalPermission(SecurityAction.Demand, Role = "Administrators")] // Sensitive. The access restrictions enforced by this attribute should be reviewed.`
			`static void CheckAdministrator()`
			`{`
			`WindowsIdentity MyIdentity = WindowsIdentity.GetCurrent(); // Sensitive`
			`HttpContext.User = ...; // Sensitive: review all reference (set and get) to System.Web HttpContext.User`
			`AppDomain domain = AppDomain.CurrentDomain;`
			`domain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); // Sensitive`
			`MyIdentity identity = new MyIdentity(); // Sensitive`
			`MyPrincipal MyPrincipal = new MyPrincipal(MyIdentity); // Sensitive`
			`Thread.CurrentPrincipal = MyPrincipal; // Sensitive`
			`domain.SetThreadPrincipal(MyPrincipal); // Sensitive`

			`// All instantiation of PrincipalPermission should be reviewed.`
			`PrincipalPermission principalPerm = new PrincipalPermission(null, "Administrators"); // Sensitive`
			`principalPerm.Demand();`

			`SecurityTokenHandler handler = ...;`
			`// Sensitive: this creates an identity.`
			`ReadOnlyCollection<ClaimsIdentity> identities = handler.ValidateToken(…);`
			`}`

			`// Sensitive: review how this function uses the identity and principal.`
			`void modifyPrincipal(MyIdentity identity, MyPrincipal principal)`
			`{`
			`// ...`
			`}`
			`}`
			`----`

			`include::../see.adoc[]`