86 lines
2.8 KiB
Plaintext
86 lines
2.8 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
Imports System.IO
|
|
Imports Microsoft.Win32.SafeHandles
|
|
Imports System.Security.AccessControl
|
|
Imports System.IO.Compression
|
|
Imports System.IO.IsolatedStorage
|
|
Imports System.IO.MemoryMappedFiles
|
|
|
|
' Use interop to call the CreateFile function.
|
|
' For more information about CreateFile,
|
|
' see the unmanaged MSDN reference library.
|
|
<DllImport("kernel32.dll", SetLastError:=True, CharSet:=CharSet.Unicode)>
|
|
Private Shared Function CreateFile(ByVal lpFileName As String, ByVal dwDesiredAccess As UInteger,
|
|
ByVal dwShareMode As UInteger, ByVal lpSecurityAttributes As IntPtr, ByVal dwCreationDisposition As UInteger,
|
|
ByVal dwFlagsAndAttributes As UInteger, ByVal hTemplateFile As IntPtr) As SafeFileHandle
|
|
End Function
|
|
|
|
|
|
' Review any static method call of File and Directory
|
|
File.Exists("test.txt") ' Sensitive
|
|
Directory.Exists("test") ' Sensitive
|
|
|
|
' Review any instantiation of FileInfo and DirectoryInfo and check how they are used
|
|
new FileInfo("test.txt") ' Sensitive
|
|
new DirectoryInfo("test") ' Sensitive
|
|
|
|
' Review the creation of SafeFileHandle and how it is used.
|
|
SafeFileHandle handle = CreateFile(...) ' Sensitive, using the imported function
|
|
new SafeFileHandle(IntPtr.Zero, false) ' Sensitive
|
|
|
|
' Sensitive: review the creation of FileStream and other Streams accepting a file path.
|
|
new FileStream("test.txt", FileMode.Create)
|
|
|
|
new StreamWriter("test.txt", ...) ' Sensitive
|
|
new StreamReader("test.txt", ...) ' Sensitive
|
|
|
|
' Review those two methods as they create file and directories.
|
|
Path.GetTempFileName() ' Sensitive
|
|
Path.GetTempPath() ' Sensitive
|
|
|
|
new FileSecurity("test.txt", AccessControlSections.All) ' Sensitive
|
|
|
|
' Review all calls to static methods of ZipFile as they create file and/or directories
|
|
ZipFile.CreateFromDirectory("test.txt", "test.zip") ' Sensitive
|
|
|
|
' Review all calls to static methods of IsolatedStorageFile
|
|
IsolatedStorageFile.GetMachineStoreForApplication() ' Sensitive
|
|
|
|
' Review all instantiation of IsolatedStorageFileStream and how they are used
|
|
new IsolatedStorageFileStream("test.txt", ...) ' Sensitive
|
|
|
|
' Review all Create* and Open* static methods of MemoryMappedFile and how the resulting file is used
|
|
MemoryMappedFile.CreateFromFile("test.txt") ' Sensitive
|
|
----
|
|
|
|
== Exceptions
|
|
|
|
The creation of ``++FileStream++`` from a ``++SafeFileHandle++`` won't raise an issue as the creation of ``++SafeFileHandle++`` already raised one.
|
|
|
|
Only the creation of ``++StreamWriter++`` or ``++StreamReader++`` from a string path will raise an issue for the same reason.
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|