Avoid external input controlling reflection

Documentos > Datadog Security > Seguridad del código > Static Code Analysis (SAST) > Reglas de SAST > Avoid external input controlling reflection

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: csharp-security/no-unsafe-reflection

Language: C#

Severity: Error

Category: Security

CWE: 470

Description

No description found

Non-Compliant Code Examples

public class ExampleController : Controller
{
    public IActionResult Apply(string EffectName)
    {
        var EffectInstance = Activator.CreateInstance(null, EffectName); // Noncompliant
        object EffectPlugin = EffectInstance.Unwrap();

        if (((IEffect)EffectPlugin).ApplyFilter())
        {
            return Ok();
        }
        else
        {
            return Problem();
        }
    }
}

public interface IEffect
{
    bool ApplyFilter();
}

Compliant Code Examples

public class ExampleController : Controller
{
    private static readonly string[] EFFECT_ALLOW_LIST = {
        "SepiaEffect",
        "BlackAndWhiteEffect",
        "WaterColorEffect",
        "OilPaintingEffect"
    };

    public IActionResult Apply(string EffectName)
    {
        if (!EFFECT_ALLOW_LIST.Contains(EffectName))
        {
            return BadRequest("Invalid effect name. The effect is not allowed.");
        }

        var EffectInstance = Activator.CreateInstance(null, EffectName);
        object EffectPlugin = EffectInstance.Unwrap();

        if (((IEffect)EffectPlugin).ApplyFilter())
        {
            return Ok();
        }
        else
        {
            return Problem();
        }
    }
}

public interface IEffect
{
    bool ApplyFilter();
}