include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

----
Imports System
Imports System.Reflection

Class TestReflection

    Public Shared Sub Run(typeName As String, methodName As String, fieldName As String, propertyName As String, moduleName As String)

        Assembly.Load(...) ' Sensitive
        Assembly.LoadFile(...) ' Sensitive
        Assembly.LoadFrom(...) ' Sensitive
        Assembly.LoadWithPartialName(...) ' Sensitive + deprecated

        Assembly.ReflectionOnlyLoad(...)  ' This is OK as the resulting type is not executable.
        Assembly.ReflectionOnlyLoadFrom(...) ' This is OK as the resulting type is not executable.
        Dim asm = GetType(TestReflection).Assembly

        ' Review this code to make sure that the module, type, method And field are safe
        Dim type As Type = asm.GetType(typeName) ' Sensitive
        Dim [module] As [Module] = asm.GetModule(moduleName) ' Sensitive

        type = System.Type.GetType(typeName) ' Sensitive
        type = type.GetNestedType(typeName) ' Sensitive
        type = type.GetInterface(typeName) ' Sensitive
        Dim method As MethodInfo = type.GetMethod(methodName) ' Sensitive
        Dim field As FieldInfo = type.GetField(fieldName) ' Sensitive
        Dim prop as PropertyInfo = type.GetProperty(propertyName) ' Sensitive


        ' Review this code to make sure that the modules, types, methods And fields are used safely
        Dim modules = asm.GetModules() ' Sensitive
        modules = asm.GetLoadedModules() ' Sensitive

        Dim types = asm.GetTypes() ' Sensitive
        types = asm.GetExportedTypes() ' Sensitive

        types = type.GetNestedTypes() ' Sensitive
        Dim methods = type.GetMethods() ' Sensitive
        Dim fields = type.GetFields() ' Sensitive
        Dim properties = type.GetProperties() ' Sensitive
        Dim members = type.GetMembers() ' Sensitive
        members = type.GetMember(methodName) ' Sensitive
        members = type.GetDefaultMembers() ' Sensitive

        type.InvokeMember(...) ' Sensitive, when the method name is provided as a string
        asm.CreateInstance(typeName) ' Sensitive

        type = Type.ReflectionOnlyGetType(typeName, True, True) ' This is OK as the resulting type is not executable.

        Activator.CreateComInstanceFrom(...) ' Sensitive, when the type name is provided as a string
        Activator.CreateInstance(...) ' Sensitive, when the type name is provided as a string
        Activator.CreateInstanceFrom(...) ' Sensitive, when the type name is provided as a string
        Activator.CreateInstance(Of ...)() ' OK - can only be created from a referenced type

    End Sub
End Class
----

== Exceptions

No issue will be created if one of the methods above is called with a hard-coded type/method/field/property/interface/module name. There can be no injection in this specific scenario.

Example:

----
assembly.GetType("MyHardcodedType")
----

No issue will be created if one of the methods is called on an instance of _Type_ created using _GetType_ operator. There can be no injection in this specific scenario.

Example:

----
typeof(CustomType).GetMethods();
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]