ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S1523/csharp/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

114 lines
4.1 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
----
using System;
using System.Reflection;
class TestReflection
{
public static void Run(string typeName, string methodName, string fieldName, string propertyName, string moduleName)
{
Assembly.Load(...); // Sensitive
Assembly.LoadFile(...); // Sensitive
Assembly.LoadFrom(...); // Sensitive
Assembly.LoadWithPartialName(...); // Sensitive + deprecated
Assembly.ReflectionOnlyLoad(...); // This is OK as the resulting type is not executable.
Assembly.ReflectionOnlyLoadFrom(...); // This is OK as the resulting type is not executable.
Assembly assembly = typeof(TestReflection).Assembly;
// Review this code to make sure that the module, type, method and field are safe
Type type = assembly.GetType(typeName); // Sensitive
Module module = assembly.GetModule(moduleName); // Sensitive
type = System.Type.GetType(typeName); // Sensitive
type = type.GetNestedType(typeName); // Sensitive
type = type.GetInterface(typeName); // Sensitive
MethodInfo method = type.GetMethod(methodName); // Sensitive
FieldInfo field = type.GetField(fieldName); // Sensitive
PropertyInfo property = type.GetProperty(propertyName); // Sensitive
// Review this code to make sure that the modules, types, methods and fields are used safely
Module[] modules = assembly.GetModules(); // Sensitive
modules = assembly.GetLoadedModules(); // Sensitive
Type[] types = assembly.GetTypes(); // Sensitive
types = assembly.GetExportedTypes(); // Sensitive
types = type.GetNestedTypes(); // Sensitive
MethodInfo[] methods = type.GetMethods(); // Sensitive
FieldInfo[] fields = type.GetFields(); // Sensitive
PropertyInfo[] properties = type.GetProperties(); // Sensitive
MemberInfo[] members = type.GetMembers(); // Sensitive
members = type.GetMember(methodName); // Sensitive
members = type.GetDefaultMembers(); // Sensitive
type.InvokeMember(...); // Sensitive, when the method name is provided as a string
assembly.CreateInstance(typeName); // Sensitive
type = Type.ReflectionOnlyGetType(typeName,true, true); // This is OK as the resulting type is not executable.
Activator.CreateComInstanceFrom(...); // Sensitive, when the type name is provided as a string
Activator.CreateInstance(...); // Sensitive, when the type name is provided as a string
Activator.CreateInstanceFrom(...); // Sensitive, when the type name is provided as a string
Activator.CreateInstance<>(); // OK - can only be created from a referenced type
}
}
----
== Exceptions
No issue will be created if one of the methods above is called with a hard-coded type/method/field/property/interface/module name. There can be no injection in this specific scenario.
Example:
----
assembly.GetType("MyHardcodedType")
----
No issue will be created if one of the methods is called on an instance of _Type_ created using _typeof_. There can be no injection in this specific scenario.
Example:
----
typeof(CustomType).GetMethods();
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
'''
== Comments And Links
(visible only on this page)
=== on 16 Oct 2018, 15:50:14 Nicolas Harraudeau wrote:
*Implementation details*:
The goal here is to highlight all methods which either retrieve all Types/Methods/Fields/Modules, or retrieve a specific one by name. The reason for highlighting functions listing all Types/Methods/... is that there is often later a loop filtering the list by name.
=== on 10 Nov 2018, 20:52:04 Duncan Pocklington wrote:
*Implementation details:*
_Activator.CreateInstanceFrom(....)_ will not be reported on if using an overload that accepts a _Type_, since a separate issue will have been created if the creation of the _Type_ is unsafe.
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink