/* DangerousMethodsShouldBeAvoided(System.Reflection.PropertyInfo.SetValue) */ set /**/ { PropertyInfo p = typeof(string).GetProperty(nameof(string.Length)); p.SetValue("str", value, null); } } public void /* DangerousMethodsShouldBeAvoided(System.Reflection.PropertyInfo.SetValue) */ DelegateInsideMethod(/**/) { Action hacker = () => { PropertyInfo p = typeof(string).GetProperty(nameof(string.Length)); p.SetValue("str", 7, null); }; } } internal sealed class AuditedUsages { [DangerousMethodUsage.Audited(typeof(PropertyInfo), "SetValue")] public AuditedUsages() { PropertyInfo p = typeof(string).GetProperty(nameof(string.Length)); p.SetValue("str", 7, null); } [DangerousMethodUsage.Audited(typeof(PropertyInfo), "SetValue")] public void Method() { PropertyInfo p = typeof(string).GetProperty(nameof(string.Length)); p.SetValue("str", 7, null); } [DangerousMethodUsage.Audited(typeof(Task), "Run")] public void AsyncMethod() { Task.Run <int>(() => Task.FromResult(7)); } public int PropertyGetter { [DangerousMethodUsage.Audited(typeof(PropertyInfo), "SetValue")] get { PropertyInfo p = typeof(string).GetProperty(nameof(string.Length)); p.SetValue("str", 7, null); return(1); } } public int PropertySetter { [DangerousMethodUsage.Audited(typeof(PropertyInfo), "SetValue")] set { PropertyInfo p = typeof(string).GetProperty(nameof(string.Length)); p.SetValue("str", value, null); } } [DangerousMethodUsage.Audited(typeof(PropertyInfo), "SetValue")] public void DelegateInsideMethod() { Action hacker = () => { PropertyInfo p = typeof(string).GetProperty(nameof(string.Length)); p.SetValue("str", 7, null); }; } } internal sealed class UnauditedUsages { [DangerousMethodUsage.Unaudited(typeof(PropertyInfo), "SetValue")] public UnauditedUsages() { PropertyInfo p = typeof(string).GetProperty(nameof(string.Length)); p.SetValue("str", 7, null); } [DangerousMethodUsage.Unaudited(typeof(PropertyInfo), "SetValue")] public void Method() { PropertyInfo p = typeof(string).GetProperty(nameof(string.Length)); p.SetValue("str", 7, null); } [DangerousMethodUsage.Unaudited(typeof(Task), "Run")] public void AsyncMethod() { Task.Run <int>(() => Task.FromResult(7)); } public int PropertyGetter { [DangerousMethodUsage.Unaudited(typeof(PropertyInfo), "SetValue")] get { PropertyInfo p = typeof(string).GetProperty(nameof(string.Length)); p.SetValue("str", 7, null); return(1); } } public int PropertySetter { [DangerousMethodUsage.Unaudited(typeof(PropertyInfo), "SetValue")] set { PropertyInfo p = typeof(string).GetProperty(nameof(string.Length)); p.SetValue("str", value, null); } } [DangerousMethodUsage.Unaudited(typeof(PropertyInfo), "SetValue")] public void DelegateInsideMethod() { Action hacker = () => { PropertyInfo p = typeof(string).GetProperty(nameof(string.Length)); p.SetValue("str", 7, null); }; } } internal sealed class MismatchedAuditedUsages { [DangerousMethodUsage.Audited(null, "SetValue")] public void /* DangerousMethodsShouldBeAvoided(System.Reflection.PropertyInfo.SetValue) */ NullDeclaringType(/**/) { PropertyInfo p = typeof(string).GetProperty(nameof(string.Length)); p.SetValue("str", 7, null); } [DangerousMethodUsage.Audited(typeof(FieldInfo), "SetValue")] public void /* DangerousMethodsShouldBeAvoided(System.Reflection.PropertyInfo.SetValue) */ DifferentDeclaringType(/**/)
public IHttpHandler /* DangerousPropertiesShouldBeAvoided(System.Web.HttpContext.Handler) */ UnmarkedInstanceGetUsage(/**/) { HttpContext context = new HttpContext(); return(context.Handler); } public void /* DangerousPropertiesShouldBeAvoided(System.Web.HttpContext.Handler) */ UnmarkedInstanceSetUsage(/**/) { HttpContext context = new HttpContext(); context.Handler = null; } } internal sealed class AuditedUsages { [DangerousPropertyUsage.Audited(typeof(ServicePointManager), "DefaultConnectionLimit")] public int AuditedStaticGetUsage() { return(ServicePointManager.DefaultConnectionLimit); } [DangerousPropertyUsage.Audited(typeof(ServicePointManager), "DefaultConnectionLimit")] public void AuditedStaticSetUsage() { ServicePointManager.DefaultConnectionLimit = 99; } [DangerousPropertyUsage.Audited(typeof(HttpContext), "Handler")] public IHttpHandler AuditedInstanceGetUsage() { HttpContext context = new HttpContext(); return(context.Handler); } [DangerousPropertyUsage.Audited(typeof(HttpContext), "Handler")] public void AuditedStaticSetUsage() { HttpContext context = new HttpContext(); context.Handler = null; } } internal sealed class UnauditedUsages { [DangerousPropertyUsage.Unaudited(typeof(ServicePointManager), "DefaultConnectionLimit")] public int UnauditedStaticGetUsage() { return(ServicePointManager.DefaultConnectionLimit); } [DangerousPropertyUsage.Unaudited(typeof(ServicePointManager), "DefaultConnectionLimit")] public void UnauditedStaticSetUsage() { ServicePointManager.DefaultConnectionLimit = 88; } [DangerousPropertyUsage.Unaudited(typeof(HttpContext), "Handler")] public IHttpHandler UnauditedInstanceGetUsage() { HttpContext context = new HttpContext(); return(context.Handler); } [DangerousPropertyUsage.Unaudited(typeof(HttpContext), "Handler")] public void UnauditedStaticSetUsage() { HttpContext context = new HttpContext(); context.Handler = null; } } internal sealed class MismatchedAuditedUsages { [DangerousPropertyUsage.Audited(null, "DefaultConnectionLimit")] public int /* DangerousPropertiesShouldBeAvoided(System.Net.ServicePointManager.DefaultConnectionLimit) */ NullDeclaringType(/**/) { return(ServicePointManager.DefaultConnectionLimit); } [DangerousPropertyUsage.Audited(typeof(string), "DefaultConnectionLimit")] public int /* DangerousPropertiesShouldBeAvoided(System.Net.ServicePointManager.DefaultConnectionLimit) */ DifferentDeclaringType(/**/)
public void /* DangerousMethodsShouldBeAvoided(System.Threading.Thread.Sleep) */ MethodWithThreadSleepInt(/**/) { System.Threading.Thread.Sleep(1); } public void /* DangerousMethodsShouldBeAvoided(System.Threading.Thread.Sleep) */ MethodWithThreadSleepTimeSpan(/**/) { System.Threading.Thread.Sleep(TimeSpan.FromMilliseconds(1)); } } internal sealed class AuditedUsages { [DangerousMethodUsage.Audited(typeof(PropertyInfo), "SetValue", "John Doe", "1970-01-01", "Rationale")] public AuditedUsages() { PropertyInfo p = typeof(string).GetProperty(nameof(string.Length)); p.SetValue("str", 7, null); } [DangerousMethodUsage.Audited(typeof(PropertyInfo), "SetValue", "John Doe", "1970-01-01", "Rationale")] public void Method() { PropertyInfo p = typeof(string).GetProperty(nameof(string.Length)); p.SetValue("str", 7, null); } [DangerousMethodUsage.Audited(typeof(Task), "Run", "John Doe", "1970-01-01", "Rationale")] public void AsyncMethod() { Task.Run <int>(() => Task.FromResult(7)); } public int PropertyGetter { [DangerousMethodUsage.Audited(typeof(PropertyInfo), "SetValue", "John Doe", "1970-01-01", "Rationale")] get { PropertyInfo p = typeof(string).GetProperty(nameof(string.Length)); p.SetValue("str", 7, null); return(1); } } public int PropertySetter { [DangerousMethodUsage.Audited(typeof(PropertyInfo), "SetValue", "John Doe", "1970-01-01", "Rationale")] set { PropertyInfo p = typeof(string).GetProperty(nameof(string.Length)); p.SetValue("str", value, null); } } [DangerousMethodUsage.Audited(typeof(PropertyInfo), "SetValue", "John Doe", "1970-01-01", "Rationale")] public void DelegateInsideMethod() { Action hacker = () => { PropertyInfo p = typeof(string).GetProperty(nameof(string.Length)); p.SetValue("str", 7, null); }; } [DangerousMethodUsage.Audited(typeof(HostingEnvironment), "MapPath", "John Doe", "1970-01-01", "Rationale")] public void MethodWithMapPath() { HostingEnvironment.MapPath("/d2l"); } [DangerousMethodUsage.Audited(typeof(HttpServerUtility), "Transfer", "John Doe", "1970-01-01", "Rationale")] public void MethodWithTransfer() { HttpServerUtility obj = new HttpServerUtility(); obj.Transfer("/new/path"); } } internal sealed class UnauditedUsages { [DangerousMethodUsage.Unaudited(typeof(PropertyInfo), "SetValue")] public UnauditedUsages() { PropertyInfo p = typeof(string).GetProperty(nameof(string.Length)); p.SetValue("str", 7, null); } [DangerousMethodUsage.Unaudited(typeof(PropertyInfo), "SetValue")] public void Method() { PropertyInfo p = typeof(string).GetProperty(nameof(string.Length)); p.SetValue("str", 7, null); } [DangerousMethodUsage.Unaudited(typeof(Task), "Run")] public void AsyncMethod() { Task.Run <int>(() => Task.FromResult(7)); } public int PropertyGetter { [DangerousMethodUsage.Unaudited(typeof(PropertyInfo), "SetValue")] get { PropertyInfo p = typeof(string).GetProperty(nameof(string.Length)); p.SetValue("str", 7, null); return(1); } } public int PropertySetter { [DangerousMethodUsage.Unaudited(typeof(PropertyInfo), "SetValue")] set { PropertyInfo p = typeof(string).GetProperty(nameof(string.Length)); p.SetValue("str", value, null); } } [DangerousMethodUsage.Unaudited(typeof(PropertyInfo), "SetValue")] public void DelegateInsideMethod() { Action hacker = () => { PropertyInfo p = typeof(string).GetProperty(nameof(string.Length)); p.SetValue("str", 7, null); }; } [DangerousMethodUsage.Unaudited(typeof(HostingEnvironment), "MapPath")] public void MethodWithMapPath() { HostingEnvironment.MapPath("/d2l"); } [DangerousMethodUsage.Unaudited(typeof(HttpServerUtility), "Transfer")] public void MethodWithTransfer() { HttpServerUtility obj = new HttpServerUtility(); obj.Transfer("/new/path"); } } internal sealed class MismatchedAuditedUsages { [DangerousMethodUsage.Audited(null, "SetValue")] public void /* DangerousMethodsShouldBeAvoided(System.Reflection.PropertyInfo.SetValue) */ NullDeclaringType(/**/) { PropertyInfo p = typeof(string).GetProperty(nameof(string.Length)); p.SetValue("str", 7, null); } [DangerousMethodUsage.Audited(typeof(FieldInfo), "SetValue")] public void /* DangerousMethodsShouldBeAvoided(System.Reflection.PropertyInfo.SetValue) */ DifferentDeclaringType(/**/)