Why this matters
Reflection methods that process untrusted input can be exploited for remote code execution. Always validate and sanitize external input before using reflection.
Reflection methods that process untrusted input can be exploited for remote code execution. Always validate and sanitize external input before using reflection.
Reflection methods that process untrusted input can be exploited for remote code execution. Always validate and sanitize external input before using reflection.
Side-by-side examples engineers can pattern-match during review.
public class ExampleController : Controller
{
public IActionResult Apply(string EffectName)
{
var EffectInstance = Activator.CreateInstance(null, EffectName); // Noncompliant
object EffectPlugin = EffectInstance.Unwrap();
if ( ((IEffect)EffectPlugin).ApplyFilter() )
{
return Ok();
}
else
{
return Problem();
}
}
}
public interface IEffect
{
bool ApplyFilter();
}public class ExampleController : Controller
{
private static readonly string[] EFFECT_ALLOW_LIST = {
"SepiaEffect",
"BlackAndWhiteEffect",
"WaterColorEffect",
"OilPaintingEffect"
};
public IActionResult Apply(string EffectName)
{
if (!EFFECT_ALLOW_LIST.Contains(EffectName))
{
return BadRequest("Invalid effect title. The effect is not allowed.");
}
var EffectInstance = Activator.CreateInstance(null, EffectName);
object EffectPlugin = EffectInstance.Unwrap();
if ( ((IEffect)EffectPlugin).ApplyFilter() )
{
return Ok();
}
else
{
return Problem();
}
}
}
public interface IEffect
{
bool ApplyFilter();
}public class ExampleController : Controller
{
public IActionResult Apply(string EffectName)
{
var EffectInstance = Activator.CreateInstance(null, EffectName); // Noncompliant
object EffectPlugin = EffectInstance.Unwrap();
if ( ((IEffect)EffectPlugin).ApplyFilter() )
{
return Ok();
}
else
{
return Problem();
}
}
}
public interface IEffect
{
bool ApplyFilter();
}public class ExampleController : Controller
{
private static readonly string[] EFFECT_ALLOW_LIST = {
"SepiaEffect",
"BlackAndWhiteEffect",
"WaterColorEffect",
"OilPaintingEffect"
};
public IActionResult Apply(string EffectName)
{
if (!EFFECT_ALLOW_LIST.Contains(EffectName))
{
return BadRequest("Invalid effect title. The effect is not allowed.");
}
var EffectInstance = Activator.CreateInstance(null, EffectName);
object EffectPlugin = EffectInstance.Unwrap();
if ( ((IEffect)EffectPlugin).ApplyFilter() )
{
return Ok();
}
else
{
return Problem();
}
}
}
public interface IEffect
{
bool ApplyFilter();
}From the same buckets as this rule.