51369b610e
When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again.
102 lines
3.4 KiB
Plaintext
102 lines
3.4 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
Imports System
|
|
Imports System.Reflection
|
|
|
|
Class TestReflection
|
|
|
|
Public Shared Sub Run(typeName As String, methodName As String, fieldName As String, propertyName As String, moduleName As String)
|
|
|
|
Assembly.Load(...) ' Sensitive
|
|
Assembly.LoadFile(...) ' Sensitive
|
|
Assembly.LoadFrom(...) ' Sensitive
|
|
Assembly.LoadWithPartialName(...) ' Sensitive + deprecated
|
|
|
|
Assembly.ReflectionOnlyLoad(...) ' This is OK as the resulting type is not executable.
|
|
Assembly.ReflectionOnlyLoadFrom(...) ' This is OK as the resulting type is not executable.
|
|
Dim asm = GetType(TestReflection).Assembly
|
|
|
|
' Review this code to make sure that the module, type, method And field are safe
|
|
Dim type As Type = asm.GetType(typeName) ' Sensitive
|
|
Dim [module] As [Module] = asm.GetModule(moduleName) ' Sensitive
|
|
|
|
type = System.Type.GetType(typeName) ' Sensitive
|
|
type = type.GetNestedType(typeName) ' Sensitive
|
|
type = type.GetInterface(typeName) ' Sensitive
|
|
Dim method As MethodInfo = type.GetMethod(methodName) ' Sensitive
|
|
Dim field As FieldInfo = type.GetField(fieldName) ' Sensitive
|
|
Dim prop as PropertyInfo = type.GetProperty(propertyName) ' Sensitive
|
|
|
|
|
|
' Review this code to make sure that the modules, types, methods And fields are used safely
|
|
Dim modules = asm.GetModules() ' Sensitive
|
|
modules = asm.GetLoadedModules() ' Sensitive
|
|
|
|
Dim types = asm.GetTypes() ' Sensitive
|
|
types = asm.GetExportedTypes() ' Sensitive
|
|
|
|
types = type.GetNestedTypes() ' Sensitive
|
|
Dim methods = type.GetMethods() ' Sensitive
|
|
Dim fields = type.GetFields() ' Sensitive
|
|
Dim properties = type.GetProperties() ' Sensitive
|
|
Dim members = type.GetMembers() ' Sensitive
|
|
members = type.GetMember(methodName) ' Sensitive
|
|
members = type.GetDefaultMembers() ' Sensitive
|
|
|
|
type.InvokeMember(...) ' Sensitive, when the method name is provided as a string
|
|
asm.CreateInstance(typeName) ' Sensitive
|
|
|
|
type = Type.ReflectionOnlyGetType(typeName, True, True) ' This is OK as the resulting type is not executable.
|
|
|
|
Activator.CreateComInstanceFrom(...) ' Sensitive, when the type name is provided as a string
|
|
Activator.CreateInstance(...) ' Sensitive, when the type name is provided as a string
|
|
Activator.CreateInstanceFrom(...) ' Sensitive, when the type name is provided as a string
|
|
Activator.CreateInstance(Of ...)() ' OK - can only be created from a referenced type
|
|
|
|
End Sub
|
|
End Class
|
|
----
|
|
|
|
== Exceptions
|
|
|
|
No issue will be created if one of the methods above is called with a hard-coded type/method/field/property/interface/module name. There can be no injection in this specific scenario.
|
|
|
|
Example:
|
|
|
|
----
|
|
assembly.GetType("MyHardcodedType")
|
|
----
|
|
|
|
No issue will be created if one of the methods is called on an instance of _Type_ created using _GetType_ operator. There can be no injection in this specific scenario.
|
|
|
|
Example:
|
|
|
|
----
|
|
typeof(CustomType).GetMethods();
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|