rspec/rules/S1523/vbnet/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

----
Imports System
Imports System.Reflection

Class TestReflection

    Public Shared Sub Run(typeName As String, methodName As String, fieldName As String, propertyName As String, moduleName As String)

        Assembly.Load(...) ' Sensitive
        Assembly.LoadFile(...) ' Sensitive
        Assembly.LoadFrom(...) ' Sensitive
        Assembly.LoadWithPartialName(...) ' Sensitive + deprecated

        Assembly.ReflectionOnlyLoad(...)  ' This is OK as the resulting type is not executable.
        Assembly.ReflectionOnlyLoadFrom(...) ' This is OK as the resulting type is not executable.
        Dim asm = GetType(TestReflection).Assembly

        ' Review this code to make sure that the module, type, method And field are safe
        Dim type As Type = asm.GetType(typeName) ' Sensitive
        Dim [module] As [Module] = asm.GetModule(moduleName) ' Sensitive

        type = System.Type.GetType(typeName) ' Sensitive
        type = type.GetNestedType(typeName) ' Sensitive
        type = type.GetInterface(typeName) ' Sensitive
        Dim method As MethodInfo = type.GetMethod(methodName) ' Sensitive
        Dim field As FieldInfo = type.GetField(fieldName) ' Sensitive
        Dim prop as PropertyInfo = type.GetProperty(propertyName) ' Sensitive


        ' Review this code to make sure that the modules, types, methods And fields are used safely
        Dim modules = asm.GetModules() ' Sensitive
        modules = asm.GetLoadedModules() ' Sensitive

        Dim types = asm.GetTypes() ' Sensitive
        types = asm.GetExportedTypes() ' Sensitive

        types = type.GetNestedTypes() ' Sensitive
        Dim methods = type.GetMethods() ' Sensitive
        Dim fields = type.GetFields() ' Sensitive
        Dim properties = type.GetProperties() ' Sensitive
        Dim members = type.GetMembers() ' Sensitive
        members = type.GetMember(methodName) ' Sensitive
        members = type.GetDefaultMembers() ' Sensitive

        type.InvokeMember(...) ' Sensitive, when the method name is provided as a string
        asm.CreateInstance(typeName) ' Sensitive

        type = Type.ReflectionOnlyGetType(typeName, True, True) ' This is OK as the resulting type is not executable.

        Activator.CreateComInstanceFrom(...) ' Sensitive, when the type name is provided as a string
        Activator.CreateInstance(...) ' Sensitive, when the type name is provided as a string
        Activator.CreateInstanceFrom(...) ' Sensitive, when the type name is provided as a string
        Activator.CreateInstance(Of ...)() ' OK - can only be created from a referenced type

    End Sub
End Class
----

== Exceptions

No issue will be created if one of the methods above is called with a hard-coded type/method/field/property/interface/module name. There can be no injection in this specific scenario.

Example:

----
assembly.GetType("MyHardcodedType")
----

No issue will be created if one of the methods is called on an instance of _Type_ created using _GetType_ operator. There can be no injection in this specific scenario.

Example:

----
typeof(CustomType).GetMethods();
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]
Add rules 1000-1999 2020-06-30 12:47:33 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`----`
			`Imports System`
			`Imports System.Reflection`

			`Class TestReflection`

			`Public Shared Sub Run(typeName As String, methodName As String, fieldName As String, propertyName As String, moduleName As String)`

			`Assembly.Load(...) ' Sensitive`
			`Assembly.LoadFile(...) ' Sensitive`
			`Assembly.LoadFrom(...) ' Sensitive`
			`Assembly.LoadWithPartialName(...) ' Sensitive + deprecated`

			`Assembly.ReflectionOnlyLoad(...) ' This is OK as the resulting type is not executable.`
			`Assembly.ReflectionOnlyLoadFrom(...) ' This is OK as the resulting type is not executable.`
			`Dim asm = GetType(TestReflection).Assembly`

			`' Review this code to make sure that the module, type, method And field are safe`
			`Dim type As Type = asm.GetType(typeName) ' Sensitive`
			`Dim [module] As [Module] = asm.GetModule(moduleName) ' Sensitive`

			`type = System.Type.GetType(typeName) ' Sensitive`
			`type = type.GetNestedType(typeName) ' Sensitive`
			`type = type.GetInterface(typeName) ' Sensitive`
			`Dim method As MethodInfo = type.GetMethod(methodName) ' Sensitive`
			`Dim field As FieldInfo = type.GetField(fieldName) ' Sensitive`
			`Dim prop as PropertyInfo = type.GetProperty(propertyName) ' Sensitive`


			`' Review this code to make sure that the modules, types, methods And fields are used safely`
			`Dim modules = asm.GetModules() ' Sensitive`
			`modules = asm.GetLoadedModules() ' Sensitive`

			`Dim types = asm.GetTypes() ' Sensitive`
			`types = asm.GetExportedTypes() ' Sensitive`

			`types = type.GetNestedTypes() ' Sensitive`
			`Dim methods = type.GetMethods() ' Sensitive`
			`Dim fields = type.GetFields() ' Sensitive`
			`Dim properties = type.GetProperties() ' Sensitive`
			`Dim members = type.GetMembers() ' Sensitive`
			`members = type.GetMember(methodName) ' Sensitive`
			`members = type.GetDefaultMembers() ' Sensitive`

			`type.InvokeMember(...) ' Sensitive, when the method name is provided as a string`
			`asm.CreateInstance(typeName) ' Sensitive`

			`type = Type.ReflectionOnlyGetType(typeName, True, True) ' This is OK as the resulting type is not executable.`

			`Activator.CreateComInstanceFrom(...) ' Sensitive, when the type name is provided as a string`
			`Activator.CreateInstance(...) ' Sensitive, when the type name is provided as a string`
			`Activator.CreateInstanceFrom(...) ' Sensitive, when the type name is provided as a string`
			`Activator.CreateInstance(Of ...)() ' OK - can only be created from a referenced type`

			`End Sub`
			`End Class`
			`----`

			`== Exceptions`

			`No issue will be created if one of the methods above is called with a hard-coded type/method/field/property/interface/module name. There can be no injection in this specific scenario.`
Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 1000-1999 2020-06-30 12:47:33 +02:00			`Example:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 1000-1999 2020-06-30 12:47:33 +02:00			`----`
			`assembly.GetType("MyHardcodedType")`
			`----`

			`No issue will be created if one of the methods is called on an instance of _Type_ created using _GetType_ operator. There can be no injection in this specific scenario.`
Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 1000-1999 2020-06-30 12:47:33 +02:00			`Example:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 1000-1999 2020-06-30 12:47:33 +02:00			`----`
			`typeof(CustomType).GetMethods();`
			`----`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::../comments-and-links.adoc[]`
Make sure that includes are always surrounded by empty lines (#2270) When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again. 2023-06-22 10:38:01 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`