include::../description.adoc[] include::../ask-yourself.adoc[] include::../recommended.adoc[] == Sensitive Code Example ---- using System.IO; using Microsoft.Win32.SafeHandles; using System.Security.AccessControl; using System.IO.Compression; using System.IO.IsolatedStorage; using System.IO.MemoryMappedFiles; // Use interop to call the CreateFile function. // For more information about CreateFile, // see the unmanaged MSDN reference library. [DllImport("kernel32.dll", SetLastError = true, CharSet=CharSet.Unicode)] static extern SafeFileHandle CreateFile(string lpFileName, uint dwDesiredAccess, uint dwShareMode, IntPtr lpSecurityAttributes, uint dwCreationDisposition, uint dwFlagsAndAttributes, IntPtr hTemplateFile); // Review any static method call of File and Directory File.Exists("test.txt"); // Sensitive Directory.Exists("test"); // Sensitive // Review any instantiation of FileInfo and DirectoryInfo and check how they are used new FileInfo("test.txt"); // Sensitive new DirectoryInfo("test"); // Sensitive // Review the creation of SafeFileHandle and how it is used. SafeFileHandle handle = CreateFile(...) // Sensitive new SafeFileHandle(IntPtr.Zero, false); // Sensitive // Sensitive: review the creation of FileStream and other Streams accepting a file path. new FileStream("test.txt", FileMode.Create); new StreamWriter("test.txt", ...); // Sensitive new StreamReader("test.txt", ...); // Sensitive // Review those two methods as they create file and directories. Path.GetTempFileName(); // Sensitive Path.GetTempPath(); // Sensitive new FileSecurity("test.txt", AccessControlSections.All); // Sensitive // Review all calls to static methods of ZipFile as they create file and/or directories ZipFile.CreateFromDirectory("test.txt", "test.zip"); // Sensitive // Review all calls to static methods of IsolatedStorageFile IsolatedStorageFile.GetMachineStoreForApplication(); // Sensitive // Review all instantiation of IsolatedStorageFileStream and how they are used new IsolatedStorageFileStream("test.txt", ...); // Sensitive // Review all Create* and Open* static methods of MemoryMappedFile and how the resulting file is used MemoryMappedFile.CreateFromFile("test.txt"); // Sensitive ---- == Exceptions The creation of ``++FileStream++`` from a ``++SafeFileHandle++`` won't raise an issue as the creation of ``++SafeFileHandle++`` already raised one. Only the creation of ``++StreamWriter++`` or ``++StreamReader++`` from a string path will raise an issue for the same reason. include::../see.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::../message.adoc[] ''' == Comments And Links (visible only on this page) === on 9 Oct 2018, 19:21:24 Nicolas Harraudeau wrote: *Out of scope for now*: * Azure storage: \https://docs.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-dotnet?tabs=macos * Windows storage: ** \https://docs.microsoft.com/en-gb/previous-versions/windows/apps/hh464917(v=win.10) ** \https://docs.microsoft.com/en-us/windows/desktop/data-access-and-storage *Implementation details*: This rule does not highlight methods or classes which take a File object as argument. Only those which take a String path should be highlighted. include::../comments-and-links.adoc[] endif::env-github,rspecator-view[]