rspec/rules/S4797/csharp/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

----
using System.IO;
using Microsoft.Win32.SafeHandles;
using System.Security.AccessControl;
using System.IO.Compression;
using System.IO.IsolatedStorage;
using System.IO.MemoryMappedFiles;

// Use interop to call the CreateFile function.
// For more information about CreateFile,
// see the unmanaged MSDN reference library.
[DllImport("kernel32.dll", SetLastError = true, CharSet=CharSet.Unicode)]
static extern SafeFileHandle CreateFile(string lpFileName, uint dwDesiredAccess,
uint dwShareMode, IntPtr lpSecurityAttributes, uint dwCreationDisposition,
uint dwFlagsAndAttributes, IntPtr hTemplateFile);


// Review any static method call of File and Directory
File.Exists("test.txt"); // Sensitive
Directory.Exists("test"); // Sensitive

// Review any instantiation of FileInfo and DirectoryInfo and check how they are used
new FileInfo("test.txt"); // Sensitive
new DirectoryInfo("test"); // Sensitive

// Review the creation of SafeFileHandle and how it is used.
SafeFileHandle handle = CreateFile(...) // Sensitive
new SafeFileHandle(IntPtr.Zero, false); // Sensitive

// Sensitive: review the creation of FileStream and other Streams accepting a file path.
new FileStream("test.txt", FileMode.Create);

new StreamWriter("test.txt", ...); // Sensitive
new StreamReader("test.txt", ...); // Sensitive

// Review those two methods as they create file and directories.
Path.GetTempFileName(); // Sensitive
Path.GetTempPath(); // Sensitive

new FileSecurity("test.txt", AccessControlSections.All); // Sensitive

// Review all calls to static methods of ZipFile as they create file and/or directories
ZipFile.CreateFromDirectory("test.txt", "test.zip"); // Sensitive

// Review all calls to static methods of IsolatedStorageFile
IsolatedStorageFile.GetMachineStoreForApplication(); // Sensitive

// Review all instantiation of IsolatedStorageFileStream and how they are used
new IsolatedStorageFileStream("test.txt", ...); // Sensitive

// Review all Create* and Open* static methods of MemoryMappedFile and how the resulting file is used
MemoryMappedFile.CreateFromFile("test.txt"); // Sensitive
----

== Exceptions

The creation of ``++FileStream++`` from a ``++SafeFileHandle++`` won't raise an issue as the creation of ``++SafeFileHandle++`` already raised one.

Only the creation of ``++StreamWriter++`` or ``++StreamReader++`` from a string path will raise an issue for the same reason.

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

=== on 9 Oct 2018, 19:21:24 Nicolas Harraudeau wrote:
*Out of scope for now*:

* Azure storage: \https://docs.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-dotnet?tabs=macos
* Windows storage:
** \https://docs.microsoft.com/en-gb/previous-versions/windows/apps/hh464917(v=win.10)
** \https://docs.microsoft.com/en-us/windows/desktop/data-access-and-storage

*Implementation details*:

This rule does not highlight methods or classes which take a File object as argument. Only those which take a String path should be highlighted.

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`----`
			`using System.IO;`
			`using Microsoft.Win32.SafeHandles;`
			`using System.Security.AccessControl;`
			`using System.IO.Compression;`
			`using System.IO.IsolatedStorage;`
			`using System.IO.MemoryMappedFiles;`

			`// Use interop to call the CreateFile function.`
			`// For more information about CreateFile,`
			`// see the unmanaged MSDN reference library.`
			`[DllImport("kernel32.dll", SetLastError = true, CharSet=CharSet.Unicode)]`
			`static extern SafeFileHandle CreateFile(string lpFileName, uint dwDesiredAccess,`
			`uint dwShareMode, IntPtr lpSecurityAttributes, uint dwCreationDisposition,`
			`uint dwFlagsAndAttributes, IntPtr hTemplateFile);`


			`// Review any static method call of File and Directory`
			`File.Exists("test.txt"); // Sensitive`
			`Directory.Exists("test"); // Sensitive`

			`// Review any instantiation of FileInfo and DirectoryInfo and check how they are used`
			`new FileInfo("test.txt"); // Sensitive`
			`new DirectoryInfo("test"); // Sensitive`

			`// Review the creation of SafeFileHandle and how it is used.`
			`SafeFileHandle handle = CreateFile(...) // Sensitive`
			`new SafeFileHandle(IntPtr.Zero, false); // Sensitive`

			`// Sensitive: review the creation of FileStream and other Streams accepting a file path.`
			`new FileStream("test.txt", FileMode.Create);`

			`new StreamWriter("test.txt", ...); // Sensitive`
			`new StreamReader("test.txt", ...); // Sensitive`

			`// Review those two methods as they create file and directories.`
			`Path.GetTempFileName(); // Sensitive`
			`Path.GetTempPath(); // Sensitive`

			`new FileSecurity("test.txt", AccessControlSections.All); // Sensitive`

			`// Review all calls to static methods of ZipFile as they create file and/or directories`
			`ZipFile.CreateFromDirectory("test.txt", "test.zip"); // Sensitive`

			`// Review all calls to static methods of IsolatedStorageFile`
			`IsolatedStorageFile.GetMachineStoreForApplication(); // Sensitive`

			`// Review all instantiation of IsolatedStorageFileStream and how they are used`
			`new IsolatedStorageFileStream("test.txt", ...); // Sensitive`

			`// Review all Create* and Open* static methods of MemoryMappedFile and how the resulting file is used`
			`MemoryMappedFile.CreateFromFile("test.txt"); // Sensitive`
			`----`

			`== Exceptions`

make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			The creation of ``++FileStream++`` from a ``++SafeFileHandle++`` won't raise an issue as the creation of ``++SafeFileHandle++`` already raised one.
Force linebreaks 2021-02-02 15:02:10 +01:00
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			Only the creation of ``++StreamWriter++`` or ``++StreamReader++`` from a string path will raise an issue for the same reason.
Add rules 4000-4999 2020-06-30 12:49:37 +02:00
			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 9 Oct 2018, 19:21:24 Nicolas Harraudeau wrote:`
			`Out of scope for now:`

			`* Azure storage: \https://docs.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-dotnet?tabs=macos`
			`* Windows storage:`
			`** \https://docs.microsoft.com/en-gb/previous-versions/windows/apps/hh464917(v=win.10)`
			`** \https://docs.microsoft.com/en-us/windows/desktop/data-access-and-storage`

			`Implementation details:`

			`This rule does not highlight methods or classes which take a File object as argument. Only those which take a String path should be highlighted.`

			`include::../comments-and-links.adoc[]`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`