CA2140: Transparent code must not reference security critical items

TypeName	TransparentMethodsMustNotReferenceCriticalCode
CheckId	CA2140
Category	Microsoft.Security
Breaking Change	Breaking

Cause

A transparent method:

• handles a security critical security exception type

• has a parameter that is marked as a security critical type

• has a generic parameter with a security critical constraints

• has a local variable of a security critical type

• references a type that is marked as security critical

• calls a method that is marked as security critical

• references a field that is marked as security critical

• returns a type that is marked as security critical

Rule Description

A code element that is marked with the SecurityCriticalAttribute attribute is security critical. A transparent method cannot use a security critical element. If a transparent type attempts to use a security critical type a TypeAccessException, MethodAccessException , or FieldAccessException is raised.

How to Fix Violations

To fix a violation of this rule, do one of the following:

• Mark the code element that uses the security critical code with the SecurityCriticalAttribute attribute

  - or -

• Remove the SecurityCriticalAttribute attribute from the code elements that are marked as security critical and instead mark them with the SecuritySafeCriticalAttribute or SecurityTransparentAttribute attribute.

When to Suppress Warnings

Do not suppress a warning from this rule.

Example

In the following examples, a transparent method attempts to reference a security critical generic collection, a security critical field, and a security critical method.

using System;
using System.Security;
using System.Collections.Generic;

namespace TransparencyWarningsDemo
{

    [SecurityCritical]
    public class SecurityCriticalClass { }

    public class TransparentMethodsReferenceCriticalCodeClass
    {
        [SecurityCritical]
        private object m_criticalField;

        [SecurityCritical]
        private void CriticalMethod() { }

        public void TransparentMethod()
        {
            // CA2140 violation - transparent method accessing a critical type.  This can be fixed by any of:
            //  1. Make TransparentMethod critical
            //  2. Make TransparentMethod safe critical
            //  3. Make CriticalClass safe critical
            //  4. Make CriticalClass transparent
            List<SecurityCriticalClass> l = new List<SecurityCriticalClass>();

            // CA2140 violation - transparent method accessing a critical field.  This can be fixed by any of:
            //  1. Make TransparentMethod critical
            //  2. Make TransparentMethod safe critical
            //  3. Make m_criticalField safe critical
            //  4. Make m_criticalField transparent
            m_criticalField = l;

            // CA2140 violation - transparent method accessing a critical method.  This can be fixed by any of:
            //  1. Make TransparentMethod critical
            //  2. Make TransparentMethod safe critical
            //  3. Make CriticalMethod safe critical
            //  4. Make CriticalMethod transparent
            CriticalMethod();
        }
    }
}

See Also

Reference

SecurityTransparentAttribute

SecurityCriticalAttribute

SecurityTransparentAttribute

SecurityTreatAsSafeAttribute

System.Security