CA2140: Transparent code must not reference security critical items

 

The new home for Visual Studio documentation is Visual Studio 2017 Documentation on docs.microsoft.com.

The latest version of this topic can be found at CA2140: Transparent code must not reference security critical items.

TypeName|TransparentMethodsMustNotReferenceCriticalCode|
|CheckId|CA2140|
|Category|Microsoft.Security|
|Breaking Change|Breaking|

A transparent method:

  • handles a security critical security exception type

  • has a parameter that is marked as a security critical type

  • has a generic parameter with a security critical constraints

  • has a local variable of a security critical type

  • references a type that is marked as security critical

  • calls a method that is marked as security critical

  • references a field that is marked as security critical

  • returns a type that is marked as security critical

A code element that is marked with the SecurityCriticalAttribute attribute is security critical. A transparent method cannot use a security critical element. If a transparent type attempts to use a security critical type a TypeAccessException, MethodAccessException , or FieldAccessException is raised.

To fix a violation of this rule, do one of the following:

Do not suppress a warning from this rule.

In the following examples, a transparent method attempts to reference a security critical generic collection, a security critical field, and a security critical method.

using System;
using System.Security;
using System.Collections.Generic;

namespace TransparencyWarningsDemo
{

    [SecurityCritical]
    public class SecurityCriticalClass { }

    public class TransparentMethodsReferenceCriticalCodeClass
    {
        [SecurityCritical]
        private object m_criticalField;

        [SecurityCritical]
        private void CriticalMethod() { }

        public void TransparentMethod()
        {
            // CA2140 violation - transparent method accessing a critical type.  This can be fixed by any of:
            //  1. Make TransparentMethod critical
            //  2. Make TransparentMethod safe critical
            //  3. Make CriticalClass safe critical
            //  4. Make CriticalClass transparent
            List<SecurityCriticalClass> l = new List<SecurityCriticalClass>();

            // CA2140 violation - transparent method accessing a critical field.  This can be fixed by any of:
            //  1. Make TransparentMethod critical
            //  2. Make TransparentMethod safe critical
            //  3. Make m_criticalField safe critical
            //  4. Make m_criticalField transparent
            m_criticalField = l;

            // CA2140 violation - transparent method accessing a critical method.  This can be fixed by any of:
            //  1. Make TransparentMethod critical
            //  2. Make TransparentMethod safe critical
            //  3. Make CriticalMethod safe critical
            //  4. Make CriticalMethod transparent
            CriticalMethod();
        }
    }
}

SecurityTransparentAttribute
SecurityCriticalAttribute
SecurityTransparentAttribute
SecurityTreatAsSafeAttribute
System.Security

Show: