Avoid external input controlling reflection

This product is not supported for your selected Datadog site. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: csharp-security/no-unsafe-reflection

Language: C#

Severity: Error

Category: Security

CWE: 470

Description

No description found

Non-Compliant Code Examples

public class ExampleController : Controller
{
    public IActionResult Apply(string EffectName)
    {
        var EffectInstance = Activator.CreateInstance(null, EffectName); // Noncompliant
        object EffectPlugin = EffectInstance.Unwrap();

        if (((IEffect)EffectPlugin).ApplyFilter())
        {
            return Ok();
        }
        else
        {
            return Problem();
        }
    }
}

public interface IEffect
{
    bool ApplyFilter();
}

Compliant Code Examples

public class ExampleController : Controller
{
    private static readonly string[] EFFECT_ALLOW_LIST = {
        "SepiaEffect",
        "BlackAndWhiteEffect",
        "WaterColorEffect",
        "OilPaintingEffect"
    };

    public IActionResult Apply(string EffectName)
    {
        if (!EFFECT_ALLOW_LIST.Contains(EffectName))
        {
            return BadRequest("Invalid effect name. The effect is not allowed.");
        }

        var EffectInstance = Activator.CreateInstance(null, EffectName);
        object EffectPlugin = EffectInstance.Unwrap();

        if (((IEffect)EffectPlugin).ApplyFilter())
        {
            return Ok();
        }
        else
        {
            return Problem();
        }
    }
}

public interface IEffect
{
    bool ApplyFilter();
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Security

Datadog Code Security
PREVIEWING: heston/DOCS-10466