Home Library Learn Samples Downloads Support Community Forums
MSDN Library
Development Tools and Languages
Visual Studio 2010
Visual Studio Application Lifecycle Management
Developing the Application
Performing Common Development Tasks
Analyzing Application Quality by Using Code Analysis Tools
Analyzing Managed Code Quality by Using Code Analysis
Code Analysis for Managed Code Warnings
Security Warnings
CA2100: Review SQL queries for security vulnerabilities
CA2102: Catch non-CLSCompliant exceptions in general handlers
CA2103: Review imperative security
CA2104: Do not declare read only mutable reference types
CA2105: Array fields should not be read only
CA2106: Secure asserts
CA2107: Review deny and permit only usage
CA2108: Review declarative security on value types
CA2109: Review visible event handlers
CA2111: Pointers should not be visible
CA2112: Secured types should not expose fields
CA2114: Method security should be a superset of type
CA2115: Call GC.KeepAlive when using native resources
CA2116: APTCA methods should only call APTCA methods
CA2117: APTCA types should only extend APTCA base types
CA2118: Review SuppressUnmanagedCodeSecurityAttribute usage
CA2119: Seal methods that satisfy private interfaces
CA2120: Secure serialization constructors
CA2121: Static constructors should be private
CA2122: Do not indirectly expose methods with link demands
CA2123: Override link demands should be identical to base
CA2124: Wrap vulnerable finally clauses in outer try
CA2126: Type link demands require inheritance demands
CA2130: Security critical constants should be transparent
CA2131: Security critical types may not participate in type equivalence
CA2132: Default constructors must be at least as critical as base type default constructors
CA2133: Delegates must bind to methods with consistent transparency
CA2134: Methods must keep consistent transparency when overriding base methods
CA2135: Level 2 assemblies should not contain LinkDemands
CA2136: Members should not have conflicting transparency annotations
CA2137: Transparent methods must contain only verifiable IL
CA2138: Transparent methods must not call methods with the SuppressUnmanagedCodeSecurity attribute
CA2139: Transparent methods may not use the HandleProcessCorruptingExceptions attribute
CA2140: Transparent code must not reference security critical items
CA2141:Transparent methods must not satisfy LinkDemands
CA2142: Transparent code should not be protected with LinkDemands
CA2143: Transparent methods should not use security demands
CA2144: Transparent code should not load assemblies from byte arrays
CA2145: Transparent methods should not be decorated with the SuppressUnmanagedCodeSecurityAttribute
CA2146: Types must be at least as critical as their base types and interfaces
CA2147: Transparent methods may not use security asserts
CA2149: Transparent methods must not call into native code
Expand Minimize
0 out of 1 rated this helpful - Rate this topic

CA2112: Secured types should not expose fields

Visual Studio 2010

TypeName

SecuredTypesShouldNotExposeFields

CheckId

CA2112

Category

Microsoft.Security

Breaking Change

Breaking

A public or protected type contains public fields and is secured by a Link Demands.

If code has access to an instance of a type that is secured by a link demand, the code does not have to satisfy the link demand to access the type's fields.

To fix a violation of this rule, make the fields nonpublic and add public properties or methods that return the field data. LinkDemand security checks on types protect access to the type's properties and methods. However, code access security does not apply to fields.

Both for security issues and for good design, you should fix violations by making the public fields nonpublic. You can suppress a warning from this rule if the field does not hold information that should remain secured, and you do not rely on the contents of the field.

The following example is composed of a library type (SecuredTypeWithFields) with unsecured fields, a type (Distributor) that can create instances of the library type and mistaken passes instances to types do not have permission to create them, and application code that can read an instance's fields even though it does not have the permission that secures the type.

The following library code violates the rule.

C#
Copy 

using System;
using System.Reflection;
using System.Security;
using System.Security.Permissions;

namespace SecurityRulesLibrary
{
   // This code requires immediate callers to have full trust.
   [System.Security.Permissions.PermissionSetAttribute(
       System.Security.Permissions.SecurityAction.LinkDemand, 
       Name="FullTrust")]
   public class SecuredTypeWithFields 
   {
      // Even though the type is secured, these fields are not.
      // Violates rule: SecuredTypesShouldNotExposeFields.
      public double xValue;
      public double yValue;

      public SecuredTypeWithFields (double x, double y) 
      {
         xValue = x;
         yValue = y;
         Console.WriteLine(
            "Creating an instance of SecuredTypeWithFields.");
      }
      public override string ToString()
      {
          return String.Format (
            "SecuredTypeWithFields {0} {1}", xValue, yValue);
      }
   }
}

The application cannot create an instance because of the link demand that protects the secured type. The following class enables the application to obtain an instance of the secured type.

C#
Copy 

using System;
using System.Reflection;
using System.Security;
using System.Security.Permissions;

// This assembly executes with full trust. 

namespace SecurityRulesLibrary
{
   // This type creates and returns instances of the secured type.
   // The GetAnInstance method incorrectly gives the instance 
   // to a type that does not have the link demanded permission.

   public class Distributor
   {
      static SecuredTypeWithFields s = new SecuredTypeWithFields(22,33);
      public static SecuredTypeWithFields GetAnInstance ()
      {
            return s;
      }

      public static void DisplayCachedObject ()
      {
         Console.WriteLine(
            "Cached Object fields: {0}, {1}", s.xValue , s.yValue);
      }
   }
}

The following application illustrates how, without permission to access a secured type's methods, code can access its fields.

C#
Copy 

using System;
using System.Security;
using System.Security.Permissions;
using SecurityRulesLibrary;

// This code executes with partial trust.
[assembly: System.Security.Permissions.PermissionSetAttribute(
   System.Security.Permissions.SecurityAction.RequestRefuse,
   Name = "FullTrust")]
namespace TestSecurityExamples
{
    public class TestLinkDemandOnField
    {
        [STAThread]
        public static void Main()
        {
            // Get an instance of the protected object.
            SecuredTypeWithFields secureType = Distributor.GetAnInstance();

            // Even though this type does not have full trust,
            // it can directly access the secured type's fields.
            Console.WriteLine(
               "Secured type fields: {0}, {1}",
               secureType.xValue,
               secureType.yValue);
            Console.WriteLine("Changing secured type's field...");
            secureType.xValue = 99;

            // Distributor must call ToString on the secured object.
            Distributor.DisplayCachedObject();

            // If the following line is uncommented, a security 
            // exception is thrown at JIT-compilation time because 
            // of the link demand for full trust that protects 
            // SecuredTypeWithFields.ToString().

            // Console.WriteLine("Secured type {0}",secureType.ToString());
        }
    }
}

This example produces the following output.

Creating an instance of SecuredTypeWithFields.
Secured type fields: 22, 33
Changing secured type's field...
Cached Object fields: 99, 33
Did you find this helpful?
(1500 characters remaining)

Community Additions

ADD
© 2013 Microsoft. All rights reserved.
|
Site Feedback
© 2013 Microsoft. All rights reserved.