84 lines
3.2 KiB
Plaintext
84 lines
3.2 KiB
Plaintext
|
include::../description.adoc[]
|
||
|
|
|
||
|
|
include::../ask-yourself.adoc[]
|
||
|
|
|
||
|
|
include::../recommended.adoc[]
|
||
|
|
|
||
|
|
== Sensitive Code Example
|
||
|
|
|
||
|
|
----
|
||
|
|
using System;
|
||
|
|
using System.Reflection;
|
||
|
|
|
||
|
|
class TestReflection
|
||
|
|
{
|
||
|
|
public static void Run(string typeName, string methodName, string fieldName, string propertyName, string moduleName)
|
||
|
|
{
|
||
|
|
Assembly.Load(...); // Sensitive
|
||
|
|
Assembly.LoadFile(...); // Sensitive
|
||
|
|
Assembly.LoadFrom(...); // Sensitive
|
||
|
|
Assembly.LoadWithPartialName(...); // Sensitive + deprecated
|
||
|
|
|
||
|
|
Assembly.ReflectionOnlyLoad(...); // This is OK as the resulting type is not executable.
|
||
|
|
Assembly.ReflectionOnlyLoadFrom(...); // This is OK as the resulting type is not executable.
|
||
|
|
|
||
|
|
Assembly assembly = typeof(TestReflection).Assembly;
|
||
|
|
|
||
|
|
// Review this code to make sure that the module, type, method and field are safe
|
||
|
|
Type type = assembly.GetType(typeName); // Sensitive
|
||
|
|
Module module = assembly.GetModule(moduleName); // Sensitive
|
||
|
|
|
||
|
|
type = System.Type.GetType(typeName); // Sensitive
|
||
|
|
type = type.GetNestedType(typeName); // Sensitive
|
||
|
|
type = type.GetInterface(typeName); // Sensitive
|
||
|
|
MethodInfo method = type.GetMethod(methodName); // Sensitive
|
||
|
|
FieldInfo field = type.GetField(fieldName); // Sensitive
|
||
|
|
PropertyInfo property = type.GetProperty(propertyName); // Sensitive
|
||
|
|
|
||
|
|
|
||
|
|
// Review this code to make sure that the modules, types, methods and fields are used safely
|
||
|
|
Module[] modules = assembly.GetModules(); // Sensitive
|
||
|
|
modules = assembly.GetLoadedModules(); // Sensitive
|
||
|
|
|
||
|
|
Type[] types = assembly.GetTypes(); // Sensitive
|
||
|
|
types = assembly.GetExportedTypes(); // Sensitive
|
||
|
|
|
||
|
|
types = type.GetNestedTypes(); // Sensitive
|
||
|
|
MethodInfo[] methods = type.GetMethods(); // Sensitive
|
||
|
|
FieldInfo[] fields = type.GetFields(); // Sensitive
|
||
|
|
PropertyInfo[] properties = type.GetProperties(); // Sensitive
|
||
|
|
MemberInfo[] members = type.GetMembers(); // Sensitive
|
||
|
|
members = type.GetMember(methodName); // Sensitive
|
||
|
|
members = type.GetDefaultMembers(); // Sensitive
|
||
|
|
|
||
|
|
type.InvokeMember(...); // Sensitive, when the method name is provided as a string
|
||
|
|
|
||
|
|
assembly.CreateInstance(typeName); // Sensitive
|
||
|
|
|
||
|
|
|
||
|
|
type = Type.ReflectionOnlyGetType(typeName,true, true); // This is OK as the resulting type is not executable.
|
||
|
|
|
||
|
|
Activator.CreateComInstanceFrom(...); // Sensitive, when the type name is provided as a string
|
||
|
|
Activator.CreateInstance(...); // Sensitive, when the type name is provided as a string
|
||
|
|
Activator.CreateInstanceFrom(...); // Sensitive, when the type name is provided as a string
|
||
|
|
Activator.CreateInstance<>(); // OK - can only be created from a referenced type
|
||
|
|
}
|
||
|
|
}
|
||
|
|
----
|
||
|
|
|
||
|
|
== Exceptions
|
||
|
|
|
||
|
|
No issue will be created if one of the methods above is called with a hard-coded type/method/field/property/interface/module name. There can be no injection in this specific scenario.
|
||
|
|
Example:
|
||
|
|
----
|
||
|
|
assembly.GetType("MyHardcodedType")
|
||
|
|
----
|
||
|
|
|
||
|
|
No issue will be created if one of the methods is called on an instance of _Type_ created using _typeof_. There can be no injection in this specific scenario.
|
||
|
|
Example:
|
||
|
|
----
|
||
|
|
typeof(CustomType).GetMethods();
|
||
|
|
----
|
||
|
|
|
||
|
|
include::../see.adoc[]
|