Avoid external input controlling reflection

Metadata

ID: csharp-security/no-unsafe-reflection

Language: C#

Severity: Error

Category: Security

CWE: 470

Description

No description found

Non-Compliant Code Examples

public class ExampleController : Controller
{
    public IActionResult Apply(string EffectName)
    {
        var EffectInstance = Activator.CreateInstance(null, EffectName); // Noncompliant
        object EffectPlugin = EffectInstance.Unwrap();

        if (((IEffect)EffectPlugin).ApplyFilter())
        {
            return Ok();
        }
        else
        {
            return Problem();
        }
    }
}

public interface IEffect
{
    bool ApplyFilter();
}

Compliant Code Examples

public class ExampleController : Controller
{
    private static readonly string[] EFFECT_ALLOW_LIST = {
        "SepiaEffect",
        "BlackAndWhiteEffect",
        "WaterColorEffect",
        "OilPaintingEffect"
    };

    public IActionResult Apply(string EffectName)
    {
        if (!EFFECT_ALLOW_LIST.Contains(EffectName))
        {
            return BadRequest("Invalid effect name. The effect is not allowed.");
        }

        var EffectInstance = Activator.CreateInstance(null, EffectName);
        object EffectPlugin = EffectInstance.Unwrap();

        if (((IEffect)EffectPlugin).ApplyFilter())
        {
            return Ok();
        }
        else
        {
            return Problem();
        }
    }
}

public interface IEffect
{
    bool ApplyFilter();
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Security

Datadog Code Security
PREVIEWING: aleksandr.pasechnik/svls-6807-lambda-fips