CA2140: Transparent code must not reference security critical items
The new home for Visual Studio documentation is Visual Studio 2017 Documentation on docs.microsoft.com.
The latest version of this topic can be found at CA2140: Transparent code must not reference security critical items.
TypeName|TransparentMethodsMustNotReferenceCriticalCode|
|CheckId|CA2140|
|Category|Microsoft.Security|
|Breaking Change|Breaking|
A transparent method:
handles a security critical security exception type
has a parameter that is marked as a security critical type
has a generic parameter with a security critical constraints
has a local variable of a security critical type
references a type that is marked as security critical
calls a method that is marked as security critical
references a field that is marked as security critical
returns a type that is marked as security critical
A code element that is marked with the SecurityCriticalAttribute attribute is security critical. A transparent method cannot use a security critical element. If a transparent type attempts to use a security critical type a TypeAccessException, MethodAccessException , or FieldAccessException is raised.
To fix a violation of this rule, do one of the following:
Mark the code element that uses the security critical code with the SecurityCriticalAttribute attribute
- or -
Remove the SecurityCriticalAttribute attribute from the code elements that are marked as security critical and instead mark them with the SecuritySafeCriticalAttribute or SecurityTransparentAttribute attribute.
Do not suppress a warning from this rule.
In the following examples, a transparent method attempts to reference a security critical generic collection, a security critical field, and a security critical method.
using System; using System.Security; using System.Collections.Generic; namespace TransparencyWarningsDemo { [SecurityCritical] public class SecurityCriticalClass { } public class TransparentMethodsReferenceCriticalCodeClass { [SecurityCritical] private object m_criticalField; [SecurityCritical] private void CriticalMethod() { } public void TransparentMethod() { // CA2140 violation - transparent method accessing a critical type. This can be fixed by any of: // 1. Make TransparentMethod critical // 2. Make TransparentMethod safe critical // 3. Make CriticalClass safe critical // 4. Make CriticalClass transparent List<SecurityCriticalClass> l = new List<SecurityCriticalClass>(); // CA2140 violation - transparent method accessing a critical field. This can be fixed by any of: // 1. Make TransparentMethod critical // 2. Make TransparentMethod safe critical // 3. Make m_criticalField safe critical // 4. Make m_criticalField transparent m_criticalField = l; // CA2140 violation - transparent method accessing a critical method. This can be fixed by any of: // 1. Make TransparentMethod critical // 2. Make TransparentMethod safe critical // 3. Make CriticalMethod safe critical // 4. Make CriticalMethod transparent CriticalMethod(); } } }
SecurityTransparentAttribute
SecurityCriticalAttribute
SecurityTransparentAttribute
SecurityTreatAsSafeAttribute
System.Security