Catch non-CLSCompliant exceptions in general handlers

Visual Studio Team System

This warning is supported in the stand-alone version of FxCop only. It is not supported in Code Analysis, which is integrated into Visual Studio.

TypeName	CatchNonClsCompliantExceptionsInGeneralHandlers
CheckId	CA2102
Category	Microsoft.Security
Breaking Change	NonBreaking

 Cause

A member in an assembly that is not marked with the RuntimeCompatibilityAttribute or is marked RuntimeCompatibility(WrapNonExceptionThrows = false) contains a catch block that handles System.Exception and does not contain an immediately following general catch block. This rule does not fire against Visual Basic assemblies.

 Rule Description

A catch block that handles Exception catches all Common Language Specification (CLS) compliant exceptions; however, it does not catch non-CLS compliant exceptions. Non-CLS compliant exceptions can be thrown from native code or from managed code generated by the MSIL Assembler. Note that the C# and Visual Basic compilers do not allow non-CLS compliant exceptions to be thrown and Visual Basic does not catch non-CLS compliant exceptions. If the intent of the catch block is to handle all exceptions, use the following general catch block syntax:

• C#: catch {}

• C++: catch(...) {} or catch(Object^) {}

An unhandled non-CLS compliant exception becomes a security issue when previously allowed permissions are removed in the catch block. Because non-CLS compliant exceptions are not caught, a malicious method that throws a non-CLS compliant exception might run with elevated privileges.

 How to Fix Violations

To fix a violation of this rule when the intent is to catch all exceptions, substitute or add a general catch block or mark the assembly RuntimeCompatibility(WrapNonExceptionThrows = true). If permissions are removed in the catch block, duplicate the functionality in the general catch block. If it is not the intent to handle all exceptions, replace the catch block that handles Exception with catch blocks that handle specific exception types.

 When to Exclude Warnings

It is safe to exclude a warning from this rule if the try block does not contain any statements that might generate a non-CLS compliant exception. Because any native or managed code might throw a non-CLS compliant exception, this requires knowledge of all code that can be executed in all code paths inside the try block. Note that non-CLS compliant exceptions are not thrown by the common language runtime.

 Example

The following example shows an MSIL class that throws a non-CLS compliant exception.

.assembly ThrowNonClsCompliantException {}
.class public auto ansi beforefieldinit ThrowsExceptions
{
   .method public hidebysig static void
         ThrowNonClsException() cil managed
   {
      .maxstack  1
      IL_0000:  newobj     instance void [mscorlib]System.Object::.ctor()
      IL_0005:  throw
   }
}

The following example shows a method that contains a general catch block that satisfies the rule.

C#

// CatchNonClsCompliantException.cs
using System;

namespace SecurityLibrary
{
   class HandlesExceptions
   {
      void CatchAllExceptions()
      {
         try
         {
            ThrowsExceptions.ThrowNonClsException();
         }
         catch(Exception e)
         {
            // Remove some permission.
            Console.WriteLine("CLS compliant exception caught");
         }
         catch
         {
            // Remove the same permission as above.
            Console.WriteLine("Non-CLS compliant exception caught.");
         }
      }

      static void Main()
      {
         HandlesExceptions handleExceptions = new HandlesExceptions();
         handleExceptions.CatchAllExceptions();
      }
   }
}

Compile the previous examples as follows:

ilasm /dll ThrowNonClsCompliantException.il
csc /r:ThrowNonClsCompliantException.dll CatchNonClsCompliantException.cs

 Related Rules

Do not catch general exception types

 See Also

Reference

Exceptions and Exception Handling (C# Programming Guide)
MSIL Assembler (Ilasm.exe)

Concepts

Overriding Security Checks
Common Language Specification