ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S4797/csharp/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

98 lines
3.3 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
----
using System.IO;
using Microsoft.Win32.SafeHandles;
using System.Security.AccessControl;
using System.IO.Compression;
using System.IO.IsolatedStorage;
using System.IO.MemoryMappedFiles;
// Use interop to call the CreateFile function.
// For more information about CreateFile,
// see the unmanaged MSDN reference library.
[DllImport("kernel32.dll", SetLastError = true, CharSet=CharSet.Unicode)]
static extern SafeFileHandle CreateFile(string lpFileName, uint dwDesiredAccess,
uint dwShareMode, IntPtr lpSecurityAttributes, uint dwCreationDisposition,
uint dwFlagsAndAttributes, IntPtr hTemplateFile);
// Review any static method call of File and Directory
File.Exists("test.txt"); // Sensitive
Directory.Exists("test"); // Sensitive
// Review any instantiation of FileInfo and DirectoryInfo and check how they are used
new FileInfo("test.txt"); // Sensitive
new DirectoryInfo("test"); // Sensitive
// Review the creation of SafeFileHandle and how it is used.
SafeFileHandle handle = CreateFile(...) // Sensitive
new SafeFileHandle(IntPtr.Zero, false); // Sensitive
// Sensitive: review the creation of FileStream and other Streams accepting a file path.
new FileStream("test.txt", FileMode.Create);
new StreamWriter("test.txt", ...); // Sensitive
new StreamReader("test.txt", ...); // Sensitive
// Review those two methods as they create file and directories.
Path.GetTempFileName(); // Sensitive
Path.GetTempPath(); // Sensitive
new FileSecurity("test.txt", AccessControlSections.All); // Sensitive
// Review all calls to static methods of ZipFile as they create file and/or directories
ZipFile.CreateFromDirectory("test.txt", "test.zip"); // Sensitive
// Review all calls to static methods of IsolatedStorageFile
IsolatedStorageFile.GetMachineStoreForApplication(); // Sensitive
// Review all instantiation of IsolatedStorageFileStream and how they are used
new IsolatedStorageFileStream("test.txt", ...); // Sensitive
// Review all Create* and Open* static methods of MemoryMappedFile and how the resulting file is used
MemoryMappedFile.CreateFromFile("test.txt"); // Sensitive
----
== Exceptions
The creation of ``++FileStream++`` from a ``++SafeFileHandle++`` won't raise an issue as the creation of ``++SafeFileHandle++`` already raised one.
Only the creation of ``++StreamWriter++`` or ``++StreamReader++`` from a string path will raise an issue for the same reason.
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
'''
== Comments And Links
(visible only on this page)
=== on 9 Oct 2018, 19:21:24 Nicolas Harraudeau wrote:
*Out of scope for now*:
* Azure storage: \https://docs.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-dotnet?tabs=macos
* Windows storage:
** \https://docs.microsoft.com/en-gb/previous-versions/windows/apps/hh464917(v=win.10)
** \https://docs.microsoft.com/en-us/windows/desktop/data-access-and-storage
*Implementation details*:
This rule does not highlight methods or classes which take a File object as argument. Only those which take a String path should be highlighted.
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink