CA2144: Transparent code should not load assemblies from byte arrays







Breaking Change


A transparent method loads an assembly from a byte array using one of the following methods:

The security review for transparent code is not as thorough as the security review for critical code, because transparent code cannot perform security sensitive actions. Assemblies loaded from a byte array might not be noticed in transparent code, and that byte array might contain critical, or more importantly safe-critical code, that does need to be audited. Therefore, transparent code should not load assemblies from a byte array.

To fix a violation of this rule, mark the method that is loading the assembly with the SecurityCriticalAttribute or the SecuritySafeCriticalAttribute attribute.

Do not suppress a warning from this rule.

The rule fires on the following code because a transparent method loads an assembly from a byte array.

using System;
using System.IO;
using System.Reflection;

namespace TransparencyWarningsDemo

    public class TransparentMethodsLoadAssembliesFromByteArraysClass
        public void TransparentMethod()
            byte[] assemblyBytes = File.ReadAllBytes("DependentAssembly.dll");

            // CA2144 violation - transparent code loading an assembly via byte array.  The fix here is to
            // either make TransparentMethod critical or safe-critical.
            Assembly dependent = Assembly.Load(assemblyBytes);

Community Additions