Why this matters
Allowing untrusted data to be executed dynamically can lead to arbitrary code execution and security vulnerabilities. Always validate input before execution.
Allowing untrusted data to be executed dynamically can lead to arbitrary code execution and security vulnerabilities. Always validate input before execution.
Allowing untrusted data to be executed dynamically can lead to arbitrary code execution and security vulnerabilities. Always validate input before execution.
Side-by-side examples engineers can pattern-match during review.
using System.CodeDom.Compiler;
public class ExampleController : Controller
{
public void Run(string message)
{
const string code = @"
using System;
public class MyClass
{
public void MyMethod()
{
Console.WriteLine(""" + message + @""");
}
}
";
var provider = CodeDomProvider.CreateProvider("CSharp");
var compilerParameters = new CompilerParameters { ReferencedAssemblies = { "System.dll", "System.Runtime.dll" } };
var compilerResults = provider.CompileAssemblyFromSource(compilerParameters, code); // Noncompliant
object myInstance = compilerResults.CompiledAssembly.CreateInstance("MyClass");
myInstance.GetType().GetMethod("MyMethod").Invoke(myInstance, new object[0]);
}
}using System.CodeDom.Compiler;
public class ExampleController : Controller
{
public void Run(string message)
{
const string code = @"
using System;
public class MyClass
{
public void MyMethod(string input)
{
Console.WriteLine(input);
}
}
";
var provider = CodeDomProvider.CreateProvider("CSharp");
var compilerParameters = new CompilerParameters { ReferencedAssemblies = { "System.dll", "System.Runtime.dll" } };
var compilerResults = provider.CompileAssemblyFromSource(compilerParameters, code);
object myInstance = compilerResults.CompiledAssembly.CreateInstance("MyClass");
myInstance.GetType().GetMethod("MyMethod").Invoke(myInstance, new object[]{ message }); // Pass message to dynamic method
}
}using System.CodeDom.Compiler;
public class ExampleController : Controller
{
public void Run(string message)
{
const string code = @"
using System;
public class MyClass
{
public void MyMethod()
{
Console.WriteLine(""" + message + @""");
}
}
";
var provider = CodeDomProvider.CreateProvider("CSharp");
var compilerParameters = new CompilerParameters { ReferencedAssemblies = { "System.dll", "System.Runtime.dll" } };
var compilerResults = provider.CompileAssemblyFromSource(compilerParameters, code); // Noncompliant
object myInstance = compilerResults.CompiledAssembly.CreateInstance("MyClass");
myInstance.GetType().GetMethod("MyMethod").Invoke(myInstance, new object[0]);
}
}using System.CodeDom.Compiler;
public class ExampleController : Controller
{
public void Run(string message)
{
const string code = @"
using System;
public class MyClass
{
public void MyMethod(string input)
{
Console.WriteLine(input);
}
}
";
var provider = CodeDomProvider.CreateProvider("CSharp");
var compilerParameters = new CompilerParameters { ReferencedAssemblies = { "System.dll", "System.Runtime.dll" } };
var compilerResults = provider.CompileAssemblyFromSource(compilerParameters, code);
object myInstance = compilerResults.CompiledAssembly.CreateInstance("MyClass");
myInstance.GetType().GetMethod("MyMethod").Invoke(myInstance, new object[]{ message }); // Pass message to dynamic method
}
}From the same buckets as this rule.