101 lines
3.4 KiB
Plaintext
101 lines
3.4 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
Imports System
|
|
Imports System.Reflection
|
|
|
|
Class TestReflection
|
|
|
|
Public Shared Sub Run(typeName As String, methodName As String, fieldName As String, propertyName As String, moduleName As String)
|
|
|
|
Assembly.Load(...) ' Sensitive
|
|
Assembly.LoadFile(...) ' Sensitive
|
|
Assembly.LoadFrom(...) ' Sensitive
|
|
Assembly.LoadWithPartialName(...) ' Sensitive + deprecated
|
|
|
|
Assembly.ReflectionOnlyLoad(...) ' This is OK as the resulting type is not executable.
|
|
Assembly.ReflectionOnlyLoadFrom(...) ' This is OK as the resulting type is not executable.
|
|
Dim asm = GetType(TestReflection).Assembly
|
|
|
|
' Review this code to make sure that the module, type, method And field are safe
|
|
Dim type As Type = asm.GetType(typeName) ' Sensitive
|
|
Dim [module] As [Module] = asm.GetModule(moduleName) ' Sensitive
|
|
|
|
type = System.Type.GetType(typeName) ' Sensitive
|
|
type = type.GetNestedType(typeName) ' Sensitive
|
|
type = type.GetInterface(typeName) ' Sensitive
|
|
Dim method As MethodInfo = type.GetMethod(methodName) ' Sensitive
|
|
Dim field As FieldInfo = type.GetField(fieldName) ' Sensitive
|
|
Dim prop as PropertyInfo = type.GetProperty(propertyName) ' Sensitive
|
|
|
|
|
|
' Review this code to make sure that the modules, types, methods And fields are used safely
|
|
Dim modules = asm.GetModules() ' Sensitive
|
|
modules = asm.GetLoadedModules() ' Sensitive
|
|
|
|
Dim types = asm.GetTypes() ' Sensitive
|
|
types = asm.GetExportedTypes() ' Sensitive
|
|
|
|
types = type.GetNestedTypes() ' Sensitive
|
|
Dim methods = type.GetMethods() ' Sensitive
|
|
Dim fields = type.GetFields() ' Sensitive
|
|
Dim properties = type.GetProperties() ' Sensitive
|
|
Dim members = type.GetMembers() ' Sensitive
|
|
members = type.GetMember(methodName) ' Sensitive
|
|
members = type.GetDefaultMembers() ' Sensitive
|
|
|
|
type.InvokeMember(...) ' Sensitive, when the method name is provided as a string
|
|
asm.CreateInstance(typeName) ' Sensitive
|
|
|
|
type = Type.ReflectionOnlyGetType(typeName, True, True) ' This is OK as the resulting type is not executable.
|
|
|
|
Activator.CreateComInstanceFrom(...) ' Sensitive, when the type name is provided as a string
|
|
Activator.CreateInstance(...) ' Sensitive, when the type name is provided as a string
|
|
Activator.CreateInstanceFrom(...) ' Sensitive, when the type name is provided as a string
|
|
Activator.CreateInstance(Of ...)() ' OK - can only be created from a referenced type
|
|
|
|
End Sub
|
|
End Class
|
|
----
|
|
|
|
== Exceptions
|
|
|
|
No issue will be created if one of the methods above is called with a hard-coded type/method/field/property/interface/module name. There can be no injection in this specific scenario.
|
|
|
|
Example:
|
|
|
|
----
|
|
assembly.GetType("MyHardcodedType")
|
|
----
|
|
|
|
No issue will be created if one of the methods is called on an instance of _Type_ created using _GetType_ operator. There can be no injection in this specific scenario.
|
|
|
|
Example:
|
|
|
|
----
|
|
typeof(CustomType).GetMethods();
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|