Export (0) Print
Expand All

Security Considerations in Using Snippets 

IntelliSense code snippets installed by Visual Studio are not in themselves a security hazard. Depending on where they are used and how they are modified, they can create security risks in your application. Snippets downloaded from the Internet should be treated like any other downloaded content.

Snippets from the Internet

When downloading snippet files from the Internet, be aware of the following:

  • A file extension of .snippet does not guarantee that the file contains plain-text XML. To be safe, download from sites you trust, and use up-to-date virus software.

  • The Help URL that is part of the snippet file can potentially execute a malicious script file or display an offensive Web site. The Help URL is not displayed in the Code Editor when you insert the snippet, but it is visible if you edit the snippet file in the XML Editor or another editor such as Notepad.

  • The code itself could contain code that can damage your system if you execute it. Read the source carefully before running it. Some of the code many be in collapsed #Region Directive sections. Expand these sections to read the code.

  • The snippet may contain references. These references are added silently to your project and may be loaded from anywhere on your system. These references may have been downloaded to your computer from where you downloaded the snippet. The snippet may then make a call to a method in the reference that executes malicious code. To protect yourself against such an attack, read the snippet file carefully before inserting the snippet, and download from sites you trust.

Security for All Snippets

How secure a snippet is depends on where it is used in the source code and how it is modified once it is in the code. The following list contains a few of the areas that must be considered:

  • File and database access

  • Code access security

  • Protecting resources (such as event logs, registry)

  • Storing secrets

  • Verifying inputs

  • Passing data to scripting technologies

For more information, see Securing Applications.

See Also

Community Additions

ADD
Show:
© 2014 Microsoft