Wrap vulnerable finally clauses in outer try

Wrap vulnerable finally clauses in ...

Switch on low bandwidth view

Collapse All

Language Filter

This page is specific to

Microsoft Visual Studio 2005/.NET Framework 2.0

Other versions are also available for the following:

Visual Studio Team System

Wrap vulnerable finally clauses in outer try

TypeName	WrapVulnerableFinallyClausesInOuterTry
CheckId	CA2124
Category	Microsoft.Security
Breaking Change	NonBreaking

Cause

A public or protected method contains a try - finally block. The finally block appears to reset security state and is not enclosed in a finally block.

Rule Description

This rule locates try-finally blocks that might be vulnerable to malicious exception filters present in the call stack. If sensitive operations such as impersonation occur in the try block, and an exception is thrown, the filter can execute before the finally block. For the impersonation example, this means that the filter would execute as the impersonated user. Filters are currently implementable only in Visual Basic.

How to Fix Violations

Place the unwrapped try-finally in an outer try block. See the second example that follows. This forces the finally to execute before filter code.

When to Exclude Warnings

Do not exclude a warning from this rule.

Example

The following pseudo-code illustrates the pattern detected by this rule.

try {
   // Do some work.
   Impersonator imp = new Impersonator("John Doe");
   imp.AddToCreditCardBalance(100);
}
finally {
   // Reset security state.
   imp.Revert();
}

The following pseudo-code shows the pattern you can use to protect your code and satisfy this rule.

try {
     try {
        // Do some work.
     }
     finally {
        // Reset security state.
     }
}
catch()
{
    throw;
}