rspec/rules/S4834/vbnet/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

----
Imports System.Threading
Imports System.Security.Permissions
Imports System.Security.Principal
Imports System.IdentityModel.Tokens

Class SecurityPrincipalDemo
    Class MyIdentity
        Implements IIdentity ' Sensitive, custom IIdentity implementations should be reviewed
    End Class

    Class MyPrincipal
        Implements IPrincipal ' Sensitive, custom IPrincipal implementations should be reviewed
    End Class

    <System.Security.Permissions.PrincipalPermission(SecurityAction.Demand, Role:="Administrators")> ' Sensitive. The access restrictions enforced by this attribute should be reviewed.
    Private Shared Sub CheckAdministrator()
        Dim MyIdentity As WindowsIdentity = WindowsIdentity.GetCurrent() ' Sensitive

        HttpContext.User = ... ' Sensitive: review all reference (set and get) to System.Web HttpContext.User

        Dim domain As AppDomain = AppDomain.CurrentDomain
        domain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal) ' Sensitive

        Dim identity As MyIdentity = New MyIdentity() ' Sensitive
        Dim MyPrincipal As MyPrincipal = New MyPrincipal(MyIdentity) ' Sensitive
        Thread.CurrentPrincipal = MyPrincipal ' Sensitive
        domain.SetThreadPrincipal(MyPrincipal) ' Sensitive

        Dim principalPerm As PrincipalPermission = New PrincipalPermission(Nothing, "Administrators")  ' Sensitive
        principalPerm.Demand()

        Dim handler As SecurityTokenHandler = ...
        Dim identities As ReadOnlyCollection(Of ClaimsIdentity) = handler.ValidateToken()  ' Sensitive, this creates identity
    End Sub

    ' Sensitive: review how this function uses the identity and principal.
    Private Sub modifyPrincipal(ByVal identity As MyIdentity, ByVal principal As MyPrincipal)
    End Sub
End Class
----

include::../see.adoc[]
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`----`
			`Imports System.Threading`
			`Imports System.Security.Permissions`
			`Imports System.Security.Principal`
			`Imports System.IdentityModel.Tokens`

			`Class SecurityPrincipalDemo`
			`Class MyIdentity`
			`Implements IIdentity ' Sensitive, custom IIdentity implementations should be reviewed`
			`End Class`

			`Class MyPrincipal`
			`Implements IPrincipal ' Sensitive, custom IPrincipal implementations should be reviewed`
			`End Class`

			`<System.Security.Permissions.PrincipalPermission(SecurityAction.Demand, Role:="Administrators")> ' Sensitive. The access restrictions enforced by this attribute should be reviewed.`
			`Private Shared Sub CheckAdministrator()`
			`Dim MyIdentity As WindowsIdentity = WindowsIdentity.GetCurrent() ' Sensitive`

			`HttpContext.User = ... ' Sensitive: review all reference (set and get) to System.Web HttpContext.User`

			`Dim domain As AppDomain = AppDomain.CurrentDomain`
			`domain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal) ' Sensitive`

			`Dim identity As MyIdentity = New MyIdentity() ' Sensitive`
			`Dim MyPrincipal As MyPrincipal = New MyPrincipal(MyIdentity) ' Sensitive`
			`Thread.CurrentPrincipal = MyPrincipal ' Sensitive`
			`domain.SetThreadPrincipal(MyPrincipal) ' Sensitive`

			`Dim principalPerm As PrincipalPermission = New PrincipalPermission(Nothing, "Administrators") ' Sensitive`
			`principalPerm.Demand()`

			`Dim handler As SecurityTokenHandler = ...`
			`Dim identities As ReadOnlyCollection(Of ClaimsIdentity) = handler.ValidateToken() ' Sensitive, this creates identity`
			`End Sub`

			`' Sensitive: review how this function uses the identity and principal.`
			`Private Sub modifyPrincipal(ByVal identity As MyIdentity, ByVal principal As MyPrincipal)`
			`End Sub`
			`End Class`
			`----`

			`include::../see.adoc[]`