rspec/rules/S2259/why-dotnet.adoc

== Why is this an issue?

Accessing a {null-keyword-link}[{null-keyword}] value will always throw a https://learn.microsoft.com/en-us/dotnet/api/system.nullreferenceexception[NullReferenceException] most likely causing an abrupt program termination.

Such termination might expose sensitive information that a malicious third party could exploit to, for instance, bypass security measures.

=== Exceptions

In the following cases, the rule does not raise:

==== Extensions Methods

Calls to extension methods can still operate on `{null-keyword}` values.

include::{language}/exception-code-extension-method.adoc[]

==== Unreachable code

Unreachable code is not executed, thus `{null-keyword}` values will never be accessed.

include::{language}/exception-code-unreachable.adoc[]

==== Validated value by analysis attributes

https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/attributes/nullable-analysis[Nullable analysis attributes] enable the developer to annotate methods with information about the null-state of its arguments. Thus, potential `{null-keyword}` values validated by one of the following attributes will not raise:

* https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.codeanalysis.notnullattribute[NotNullAttribute]
* https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.codeanalysis.notnullwhenattribute[NotNullWhenAttribute]
* https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.codeanalysis.doesnotreturnattribute[DoesNotReturnAttribute]
* https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.codeanalysis.doesnotreturnifattribute[DoesNotReturnIfAttribute]

It is important to note those attributes are only available starting .NET Core 3. As a workaround, it is possible to define those attributes manually in a custom class:

include::{language}/exception-code-analysis-attr.adoc[]

==== Validated value by Debug.Assert

A value validated with https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.debug.assert[Debug.Assert] to not be `{null-keyword}` is safe to access.

include::{language}/exception-code-debug-assert.adoc[]

==== Validated value by IDE-specific attributes

Like with null-analysis-attribute, potential `{null-keyword}` values validated by one of the following IDE-specific attributes will not raise

===== Visual Studio

* https://learn.microsoft.com/en-us/dotnet/api/microsoft.validatednotnullattribute[ValidatedNotNullAttribute]
+
(The attribute is interpreted the same as the https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.codeanalysis.notnullattribute[NotNullAttribute])

===== JetBrains Rider

* https://www.jetbrains.com/help/resharper/Reference__Code_Annotation_Attributes.html#NotNullAttribute[NotNullAttribute]
* https://www.jetbrains.com/help/resharper/Reference__Code_Annotation_Attributes.html#TerminatesProgramAttribute[TerminatesProgramAttribute]
+

include::{language}/exception-code-rider-attr.adoc[]