rspec/rules/S1523/csharp/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

----
using System;
using System.Reflection;

class TestReflection
{
    public static void Run(string typeName, string methodName, string fieldName, string propertyName, string moduleName)
    {
        Assembly.Load(...); // Sensitive
        Assembly.LoadFile(...); // Sensitive
        Assembly.LoadFrom(...); // Sensitive
        Assembly.LoadWithPartialName(...); // Sensitive + deprecated

        Assembly.ReflectionOnlyLoad(...);  // This is OK as the resulting type is not executable.
        Assembly.ReflectionOnlyLoadFrom(...); // This is OK as the resulting type is not executable.

        Assembly assembly = typeof(TestReflection).Assembly;

        // Review this code to make sure that the module, type, method and field are safe
        Type type = assembly.GetType(typeName); // Sensitive
        Module module = assembly.GetModule(moduleName); // Sensitive

        type = System.Type.GetType(typeName); // Sensitive
        type = type.GetNestedType(typeName); // Sensitive
        type = type.GetInterface(typeName);  // Sensitive
        MethodInfo method = type.GetMethod(methodName); // Sensitive
        FieldInfo field = type.GetField(fieldName); // Sensitive
        PropertyInfo property = type.GetProperty(propertyName); // Sensitive


        // Review this code to make sure that the modules, types, methods and fields are used safely
        Module[] modules = assembly.GetModules(); // Sensitive
        modules = assembly.GetLoadedModules(); // Sensitive

        Type[] types = assembly.GetTypes(); // Sensitive
        types = assembly.GetExportedTypes(); // Sensitive

        types = type.GetNestedTypes(); // Sensitive
        MethodInfo[] methods = type.GetMethods(); // Sensitive
        FieldInfo[] fields = type.GetFields(); // Sensitive
        PropertyInfo[] properties = type.GetProperties(); // Sensitive
        MemberInfo[] members = type.GetMembers(); // Sensitive
        members = type.GetMember(methodName); // Sensitive
        members = type.GetDefaultMembers(); // Sensitive

        type.InvokeMember(...); // Sensitive, when the method name is provided as a string

        assembly.CreateInstance(typeName); // Sensitive


        type = Type.ReflectionOnlyGetType(typeName,true, true); // This is OK as the resulting type is not executable.

        Activator.CreateComInstanceFrom(...); // Sensitive, when the type name is provided as a string
        Activator.CreateInstance(...); // Sensitive, when the type name is provided as a string
        Activator.CreateInstanceFrom(...); // Sensitive, when the type name is provided as a string
        Activator.CreateInstance<>(); // OK - can only be created from a referenced type
    }
}
----

== Exceptions

No issue will be created if one of the methods above is called with a hard-coded type/method/field/property/interface/module name. There can be no injection in this specific scenario.

Example:

----
assembly.GetType("MyHardcodedType")
----

No issue will be created if one of the methods is called on an instance of _Type_ created using _typeof_. There can be no injection in this specific scenario.

Example:

----
typeof(CustomType).GetMethods();
----

include::../see.adoc[]
Add rules 1000-1999 2020-06-30 12:47:33 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`----`
			`using System;`
			`using System.Reflection;`

			`class TestReflection`
			`{`
			`public static void Run(string typeName, string methodName, string fieldName, string propertyName, string moduleName)`
			`{`
			`Assembly.Load(...); // Sensitive`
			`Assembly.LoadFile(...); // Sensitive`
			`Assembly.LoadFrom(...); // Sensitive`
			`Assembly.LoadWithPartialName(...); // Sensitive + deprecated`

			`Assembly.ReflectionOnlyLoad(...); // This is OK as the resulting type is not executable.`
			`Assembly.ReflectionOnlyLoadFrom(...); // This is OK as the resulting type is not executable.`

			`Assembly assembly = typeof(TestReflection).Assembly;`

			`// Review this code to make sure that the module, type, method and field are safe`
			`Type type = assembly.GetType(typeName); // Sensitive`
			`Module module = assembly.GetModule(moduleName); // Sensitive`

			`type = System.Type.GetType(typeName); // Sensitive`
			`type = type.GetNestedType(typeName); // Sensitive`
			`type = type.GetInterface(typeName); // Sensitive`
			`MethodInfo method = type.GetMethod(methodName); // Sensitive`
			`FieldInfo field = type.GetField(fieldName); // Sensitive`
			`PropertyInfo property = type.GetProperty(propertyName); // Sensitive`


			`// Review this code to make sure that the modules, types, methods and fields are used safely`
			`Module[] modules = assembly.GetModules(); // Sensitive`
			`modules = assembly.GetLoadedModules(); // Sensitive`

			`Type[] types = assembly.GetTypes(); // Sensitive`
			`types = assembly.GetExportedTypes(); // Sensitive`

			`types = type.GetNestedTypes(); // Sensitive`
			`MethodInfo[] methods = type.GetMethods(); // Sensitive`
			`FieldInfo[] fields = type.GetFields(); // Sensitive`
			`PropertyInfo[] properties = type.GetProperties(); // Sensitive`
			`MemberInfo[] members = type.GetMembers(); // Sensitive`
			`members = type.GetMember(methodName); // Sensitive`
			`members = type.GetDefaultMembers(); // Sensitive`

			`type.InvokeMember(...); // Sensitive, when the method name is provided as a string`

			`assembly.CreateInstance(typeName); // Sensitive`


			`type = Type.ReflectionOnlyGetType(typeName,true, true); // This is OK as the resulting type is not executable.`

			`Activator.CreateComInstanceFrom(...); // Sensitive, when the type name is provided as a string`
			`Activator.CreateInstance(...); // Sensitive, when the type name is provided as a string`
			`Activator.CreateInstanceFrom(...); // Sensitive, when the type name is provided as a string`
			`Activator.CreateInstance<>(); // OK - can only be created from a referenced type`
			`}`
			`}`
			`----`

			`== Exceptions`

			`No issue will be created if one of the methods above is called with a hard-coded type/method/field/property/interface/module name. There can be no injection in this specific scenario.`
Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 1000-1999 2020-06-30 12:47:33 +02:00			`Example:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 1000-1999 2020-06-30 12:47:33 +02:00			`----`
			`assembly.GetType("MyHardcodedType")`
			`----`

			`No issue will be created if one of the methods is called on an instance of _Type_ created using _typeof_. There can be no injection in this specific scenario.`
Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 1000-1999 2020-06-30 12:47:33 +02:00			`Example:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 1000-1999 2020-06-30 12:47:33 +02:00			`----`
			`typeof(CustomType).GetMethods();`
			`----`

			`include::../see.adoc[]`