rspec/rules/S4797/csharp/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

----
using System.IO;
using Microsoft.Win32.SafeHandles;
using System.Security.AccessControl;
using System.IO.Compression;
using System.IO.IsolatedStorage;
using System.IO.MemoryMappedFiles;

// Use interop to call the CreateFile function.
// For more information about CreateFile,
// see the unmanaged MSDN reference library.
[DllImport("kernel32.dll", SetLastError = true, CharSet=CharSet.Unicode)]
static extern SafeFileHandle CreateFile(string lpFileName, uint dwDesiredAccess,
uint dwShareMode, IntPtr lpSecurityAttributes, uint dwCreationDisposition,
uint dwFlagsAndAttributes, IntPtr hTemplateFile);


// Review any static method call of File and Directory
File.Exists("test.txt"); // Sensitive
Directory.Exists("test"); // Sensitive

// Review any instantiation of FileInfo and DirectoryInfo and check how they are used
new FileInfo("test.txt"); // Sensitive
new DirectoryInfo("test"); // Sensitive

// Review the creation of SafeFileHandle and how it is used.
SafeFileHandle handle = CreateFile(...) // Sensitive
new SafeFileHandle(IntPtr.Zero, false); // Sensitive

// Sensitive: review the creation of FileStream and other Streams accepting a file path.
new FileStream("test.txt", FileMode.Create);

new StreamWriter("test.txt", ...); // Sensitive
new StreamReader("test.txt", ...); // Sensitive

// Review those two methods as they create file and directories.
Path.GetTempFileName(); // Sensitive
Path.GetTempPath(); // Sensitive

new FileSecurity("test.txt", AccessControlSections.All); // Sensitive

// Review all calls to static methods of ZipFile as they create file and/or directories
ZipFile.CreateFromDirectory("test.txt", "test.zip"); // Sensitive

// Review all calls to static methods of IsolatedStorageFile
IsolatedStorageFile.GetMachineStoreForApplication(); // Sensitive

// Review all instantiation of IsolatedStorageFileStream and how they are used
new IsolatedStorageFileStream("test.txt", ...); // Sensitive

// Review all Create* and Open* static methods of MemoryMappedFile and how the resulting file is used
MemoryMappedFile.CreateFromFile("test.txt"); // Sensitive
----

== Exceptions

The creation of ``++FileStream++`` from a ``++SafeFileHandle++`` won't raise an issue as the creation of ``++SafeFileHandle++`` already raised one.

Only the creation of ``++StreamWriter++`` or ``++StreamReader++`` from a string path will raise an issue for the same reason.

include::../see.adoc[]
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`----`
			`using System.IO;`
			`using Microsoft.Win32.SafeHandles;`
			`using System.Security.AccessControl;`
			`using System.IO.Compression;`
			`using System.IO.IsolatedStorage;`
			`using System.IO.MemoryMappedFiles;`

			`// Use interop to call the CreateFile function.`
			`// For more information about CreateFile,`
			`// see the unmanaged MSDN reference library.`
			`[DllImport("kernel32.dll", SetLastError = true, CharSet=CharSet.Unicode)]`
			`static extern SafeFileHandle CreateFile(string lpFileName, uint dwDesiredAccess,`
			`uint dwShareMode, IntPtr lpSecurityAttributes, uint dwCreationDisposition,`
			`uint dwFlagsAndAttributes, IntPtr hTemplateFile);`


			`// Review any static method call of File and Directory`
			`File.Exists("test.txt"); // Sensitive`
			`Directory.Exists("test"); // Sensitive`

			`// Review any instantiation of FileInfo and DirectoryInfo and check how they are used`
			`new FileInfo("test.txt"); // Sensitive`
			`new DirectoryInfo("test"); // Sensitive`

			`// Review the creation of SafeFileHandle and how it is used.`
			`SafeFileHandle handle = CreateFile(...) // Sensitive`
			`new SafeFileHandle(IntPtr.Zero, false); // Sensitive`

			`// Sensitive: review the creation of FileStream and other Streams accepting a file path.`
			`new FileStream("test.txt", FileMode.Create);`

			`new StreamWriter("test.txt", ...); // Sensitive`
			`new StreamReader("test.txt", ...); // Sensitive`

			`// Review those two methods as they create file and directories.`
			`Path.GetTempFileName(); // Sensitive`
			`Path.GetTempPath(); // Sensitive`

			`new FileSecurity("test.txt", AccessControlSections.All); // Sensitive`

			`// Review all calls to static methods of ZipFile as they create file and/or directories`
			`ZipFile.CreateFromDirectory("test.txt", "test.zip"); // Sensitive`

			`// Review all calls to static methods of IsolatedStorageFile`
			`IsolatedStorageFile.GetMachineStoreForApplication(); // Sensitive`

			`// Review all instantiation of IsolatedStorageFileStream and how they are used`
			`new IsolatedStorageFileStream("test.txt", ...); // Sensitive`

			`// Review all Create* and Open* static methods of MemoryMappedFile and how the resulting file is used`
			`MemoryMappedFile.CreateFromFile("test.txt"); // Sensitive`
			`----`

			`== Exceptions`

make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			The creation of ``++FileStream++`` from a ``++SafeFileHandle++`` won't raise an issue as the creation of ``++SafeFileHandle++`` already raised one.
Force linebreaks 2021-02-02 15:02:10 +01:00
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			Only the creation of ``++StreamWriter++`` or ``++StreamReader++`` from a string path will raise an issue for the same reason.
Add rules 4000-4999 2020-06-30 12:49:37 +02:00
			`include::../see.adoc[]`