include::../description.adoc[] include::../ask-yourself.adoc[] include::../recommended.adoc[] == Sensitive Code Example ---- using System; using System.Reflection; class TestReflection { public static void Run(string typeName, string methodName, string fieldName, string propertyName, string moduleName) { Assembly.Load(...); // Sensitive Assembly.LoadFile(...); // Sensitive Assembly.LoadFrom(...); // Sensitive Assembly.LoadWithPartialName(...); // Sensitive + deprecated Assembly.ReflectionOnlyLoad(...); // This is OK as the resulting type is not executable. Assembly.ReflectionOnlyLoadFrom(...); // This is OK as the resulting type is not executable. Assembly assembly = typeof(TestReflection).Assembly; // Review this code to make sure that the module, type, method and field are safe Type type = assembly.GetType(typeName); // Sensitive Module module = assembly.GetModule(moduleName); // Sensitive type = System.Type.GetType(typeName); // Sensitive type = type.GetNestedType(typeName); // Sensitive type = type.GetInterface(typeName); // Sensitive MethodInfo method = type.GetMethod(methodName); // Sensitive FieldInfo field = type.GetField(fieldName); // Sensitive PropertyInfo property = type.GetProperty(propertyName); // Sensitive // Review this code to make sure that the modules, types, methods and fields are used safely Module[] modules = assembly.GetModules(); // Sensitive modules = assembly.GetLoadedModules(); // Sensitive Type[] types = assembly.GetTypes(); // Sensitive types = assembly.GetExportedTypes(); // Sensitive types = type.GetNestedTypes(); // Sensitive MethodInfo[] methods = type.GetMethods(); // Sensitive FieldInfo[] fields = type.GetFields(); // Sensitive PropertyInfo[] properties = type.GetProperties(); // Sensitive MemberInfo[] members = type.GetMembers(); // Sensitive members = type.GetMember(methodName); // Sensitive members = type.GetDefaultMembers(); // Sensitive type.InvokeMember(...); // Sensitive, when the method name is provided as a string assembly.CreateInstance(typeName); // Sensitive type = Type.ReflectionOnlyGetType(typeName,true, true); // This is OK as the resulting type is not executable. Activator.CreateComInstanceFrom(...); // Sensitive, when the type name is provided as a string Activator.CreateInstance(...); // Sensitive, when the type name is provided as a string Activator.CreateInstanceFrom(...); // Sensitive, when the type name is provided as a string Activator.CreateInstance<>(); // OK - can only be created from a referenced type } } ---- == Exceptions No issue will be created if one of the methods above is called with a hard-coded type/method/field/property/interface/module name. There can be no injection in this specific scenario. Example: ---- assembly.GetType("MyHardcodedType") ---- No issue will be created if one of the methods is called on an instance of _Type_ created using _typeof_. There can be no injection in this specific scenario. Example: ---- typeof(CustomType).GetMethods(); ---- include::../see.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::../message.adoc[] ''' == Comments And Links (visible only on this page) === on 16 Oct 2018, 15:50:14 Nicolas Harraudeau wrote: *Implementation details*: The goal here is to highlight all methods which either retrieve all Types/Methods/Fields/Modules, or retrieve a specific one by name. The reason for highlighting functions listing all Types/Methods/... is that there is often later a loop filtering the list by name. === on 10 Nov 2018, 20:52:04 Duncan Pocklington wrote: *Implementation details:* _Activator.CreateInstanceFrom(....)_ will not be reported on if using an overload that accepts a _Type_, since a separate issue will have been created if the creation of the _Type_ is unsafe. include::../comments-and-links.adoc[] endif::env-github,rspecator-view[]