59 lines
2.9 KiB
Plaintext
59 lines
2.9 KiB
Plaintext
== Why is this an issue?
|
|
|
|
Accessing a {null-keyword-link}[{null-keyword}] value will always throw a https://learn.microsoft.com/en-us/dotnet/api/system.nullreferenceexception[NullReferenceException] most likely causing an abrupt program termination.
|
|
|
|
Such termination might expose sensitive information that a malicious third party could exploit to, for instance, bypass security measures.
|
|
|
|
=== Exceptions
|
|
|
|
In the following cases, the rule does not raise:
|
|
|
|
==== Extensions Methods
|
|
|
|
Calls to extension methods can still operate on `{null-keyword}` values.
|
|
|
|
include::{language}/exception-code-extension-method.adoc[]
|
|
|
|
==== Unreachable code
|
|
|
|
Unreachable code is not executed, thus `{null-keyword}` values will never be accessed.
|
|
|
|
include::{language}/exception-code-unreachable.adoc[]
|
|
|
|
==== Validated value by analysis attributes
|
|
|
|
https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/attributes/nullable-analysis[Nullable analysis attributes] enable the developer to annotate methods with information about the null-state of its arguments. Thus, potential `{null-keyword}` values validated by one of the following attributes will not raise:
|
|
|
|
* https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.codeanalysis.notnullattribute[NotNullAttribute]
|
|
* https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.codeanalysis.notnullwhenattribute[NotNullWhenAttribute]
|
|
* https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.codeanalysis.doesnotreturnattribute[DoesNotReturnAttribute]
|
|
* https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.codeanalysis.doesnotreturnifattribute[DoesNotReturnIfAttribute]
|
|
|
|
It is important to note those attributes are only available starting .NET Core 3. As a workaround, it is possible to define those attributes manually in a custom class:
|
|
|
|
include::{language}/exception-code-analysis-attr.adoc[]
|
|
|
|
==== Validated value by Debug.Assert
|
|
|
|
A value validated with https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.debug.assert[Debug.Assert] to not be `{null-keyword}` is safe to access.
|
|
|
|
include::{language}/exception-code-debug-assert.adoc[]
|
|
|
|
==== Validated value by IDE-specific attributes
|
|
|
|
Like with null-analysis-attribute, potential `{null-keyword}` values validated by one of the following IDE-specific attributes will not raise
|
|
|
|
===== Visual Studio
|
|
|
|
* https://learn.microsoft.com/en-us/dotnet/api/microsoft.validatednotnullattribute[ValidatedNotNullAttribute]
|
|
+
|
|
(The attribute is interpreted the same as the https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.codeanalysis.notnullattribute[NotNullAttribute])
|
|
|
|
===== JetBrains Rider
|
|
|
|
* https://www.jetbrains.com/help/resharper/Reference__Code_Annotation_Attributes.html#NotNullAttribute[NotNullAttribute]
|
|
* https://www.jetbrains.com/help/resharper/Reference__Code_Annotation_Attributes.html#TerminatesProgramAttribute[TerminatesProgramAttribute]
|
|
+
|
|
|
|
include::{language}/exception-code-rider-attr.adoc[]
|