From bcaaa2a0e4b8b0214064e4af710ba004e2c83774 Mon Sep 17 00:00:00 2001 From: LingxiaChen Date: Mon, 8 Jul 2019 18:29:12 +0800 Subject: [PATCH 01/16] UseDefaultDllImportSearchPathsAttribute --- .../SystemSecurityCryptographyResources.resx | 9 + ...UseDefaultDllImportSearchPathsAttribute.cs | 92 ++++++++++ ...SystemSecurityCryptographyResources.cs.xlf | 15 ++ ...SystemSecurityCryptographyResources.de.xlf | 15 ++ ...SystemSecurityCryptographyResources.es.xlf | 15 ++ ...SystemSecurityCryptographyResources.fr.xlf | 15 ++ ...SystemSecurityCryptographyResources.it.xlf | 15 ++ ...SystemSecurityCryptographyResources.ja.xlf | 15 ++ ...SystemSecurityCryptographyResources.ko.xlf | 15 ++ ...SystemSecurityCryptographyResources.pl.xlf | 15 ++ ...temSecurityCryptographyResources.pt-BR.xlf | 15 ++ ...SystemSecurityCryptographyResources.ru.xlf | 15 ++ ...SystemSecurityCryptographyResources.tr.xlf | 15 ++ ...mSecurityCryptographyResources.zh-Hans.xlf | 15 ++ ...mSecurityCryptographyResources.zh-Hant.xlf | 15 ++ ...faultDllImportSearchPathsAttributeTests.cs | 160 ++++++++++++++++++ src/Utilities/Compiler/WellKnownTypeNames.cs | 2 + 17 files changed, 458 insertions(+) create mode 100644 src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs create mode 100644 src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/SystemSecurityCryptographyResources.resx b/src/Microsoft.NetCore.Analyzers/Core/Security/SystemSecurityCryptographyResources.resx index 30ededdcee..2304bef8d5 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/SystemSecurityCryptographyResources.resx +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/SystemSecurityCryptographyResources.resx @@ -396,4 +396,13 @@ When creating path for '{0} in method {1}' from relative archive item path to extract file and the source is an untrusted zip archive, make sure to sanitize relative archive item path '{2} in method {3}' + + Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + + + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + + + The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + \ No newline at end of file diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs b/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs new file mode 100644 index 0000000000..f2c4c33116 --- /dev/null +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs @@ -0,0 +1,92 @@ +// Copyright (c) Microsoft. All Rights Reserved. Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information. + +using System.Collections.Immutable; +using System.Linq; +using Analyzer.Utilities; +using Analyzer.Utilities.Extensions; +using Microsoft.CodeAnalysis; +using Microsoft.CodeAnalysis.Diagnostics; +using Microsoft.CodeAnalysis.FlowAnalysis.DataFlow; + +namespace Microsoft.NetCore.Analyzers.Security +{ + [DiagnosticAnalyzer(LanguageNames.CSharp, LanguageNames.VisualBasic)] + public sealed class UseDefaultDllImportSearchPathsAttribute : DiagnosticAnalyzer + { + internal const string DiagnosticId = "CA5392"; + private static readonly LocalizableString s_Title = new LocalizableResourceString( + nameof(SystemSecurityCryptographyResources.UseDefaultDllImportSearchPathsAttribute), + SystemSecurityCryptographyResources.ResourceManager, + typeof(SystemSecurityCryptographyResources)); + private static readonly LocalizableString s_Message = new LocalizableResourceString( + nameof(SystemSecurityCryptographyResources.UseDefaultDllImportSearchPathsAttributeMessage), + SystemSecurityCryptographyResources.ResourceManager, + typeof(SystemSecurityCryptographyResources)); + private static readonly LocalizableString s_Description = new LocalizableResourceString( + nameof(SystemSecurityCryptographyResources.UseDefaultDllImportSearchPathsAttributeDescription), + SystemSecurityCryptographyResources.ResourceManager, + typeof(SystemSecurityCryptographyResources)); + + internal static DiagnosticDescriptor Rule = new DiagnosticDescriptor( + DiagnosticId, + s_Title, + s_Message, + DiagnosticCategory.Security, + DiagnosticHelpers.DefaultDiagnosticSeverity, + isEnabledByDefault: DiagnosticHelpers.EnabledByDefaultIfNotBuildingVSIX, + description: s_Description, + helpLinkUri: null, + customTags: WellKnownDiagnosticTags.Telemetry); + + public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create(Rule); + + public override void Initialize(AnalysisContext context) + { + context.EnableConcurrentExecution(); + + // Security analyzer - analyze and report diagnostics on generated code. + context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics); + + context.RegisterCompilationStartAction(compilationStartAnalysisContext => + { + var compilation = compilationStartAnalysisContext.Compilation; + var wellKnownTypeProvider = WellKnownTypeProvider.GetOrCreate(compilation); + + if (!wellKnownTypeProvider.TryGetTypeByMetadataName(WellKnownTypeNames.SystemRuntimeInteropServicesDllImportAttribute, out INamedTypeSymbol dllImportAttributeTypeSymbol) || + !wellKnownTypeProvider.TryGetTypeByMetadataName(WellKnownTypeNames.SystemRuntimeInteropServicesDefaultDllImportSearchPathsAttribute, out INamedTypeSymbol defaultDllImportSearchPathsAttributeTypeSymbol)) + { + return; + } + + var hasDefaultDllImportSearchPathsAttribute = false; + + if (compilation.Assembly.GetAttributes().Select(o => o.AttributeClass).Contains(defaultDllImportSearchPathsAttributeTypeSymbol)) + { + hasDefaultDllImportSearchPathsAttribute = true; + } + + compilationStartAnalysisContext.RegisterSymbolAction(symbolAnalysisContext => + { + var symbol = symbolAnalysisContext.Symbol; + + if (!symbol.IsExtern) + { + return; + } + + var attributeClasses = symbol.GetAttributes().Select(o => o.AttributeClass); + + if (attributeClasses.Contains(dllImportAttributeTypeSymbol) || + (!attributeClasses.Contains(defaultDllImportSearchPathsAttributeTypeSymbol) && + !hasDefaultDllImportSearchPathsAttribute)) + { + symbolAnalysisContext.ReportDiagnostic( + symbol.CreateDiagnostic( + Rule, + symbol.Name)); + } + }, SymbolKind.Method); + }); + } + } +} diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.cs.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.cs.xlf index 29cf49fb19..11642c45a5 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.cs.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.cs.xlf @@ -397,6 +397,21 @@ Pokud je to možné, zvažte použití řízení přístupu Azure na základě role namísto sdíleného přístupového podpisu (SAS). Pokud i přesto potřebujete používat sdílený přístupový podpis, použijte při jeho vytváření zásady přístupu na úrovni kontejneru. + + Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + + + + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + + + + The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + + Use Rivest–Shamir–Adleman (RSA) Algorithm With Sufficient Key Size Použijte algoritmus RSA (Rivest-Shamir-Adleman) s dostatečnou velikostí klíče diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.de.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.de.xlf index 34f61e99af..610ed013bb 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.de.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.de.xlf @@ -397,6 +397,21 @@ Erwägen Sie (sofern möglich) die Verwendung der rollenbasierten Zugriffssteuerung von Azure anstelle einer Shared Access Signature (SAS). Wenn Sie weiterhin eine SAS benötigen, verwenden Sie beim Erstellen einer SAS eine Zugriffsrichtlinie auf Containerebene. + + Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + + + + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + + + + The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + + Use Rivest–Shamir–Adleman (RSA) Algorithm With Sufficient Key Size Verwenden Sie den RSA-Algorithmus (Rivest – Shamir – Adleman) mit einer ausreichenden Schlüsselgröße. diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.es.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.es.xlf index 9256a826ae..6308f44708 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.es.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.es.xlf @@ -397,6 +397,21 @@ Considere la posibilidad de usar el control de acceso basado en rol de Azure en lugar de una firma de acceso compartido (SAS), si es posible. Si tiene que usar una firma de acceso compartido, utilice una directiva de acceso de nivel de contenedor al crear la firma. + + Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + + + + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + + + + The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + + Use Rivest–Shamir–Adleman (RSA) Algorithm With Sufficient Key Size Usar un algoritmo de Rivest-Shamir-Adleman (RSA) con un tamaño de clave suficiente diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.fr.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.fr.xlf index c92b390fb4..01c4dc9e42 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.fr.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.fr.xlf @@ -397,6 +397,21 @@ Si possible, utilisez la fonctionnalité RBAC (contrôle d'accès en fonction du rôle) d'Azure à la place d'une SAP (signature d'accès partagé). Si vous devez quand même utiliser une SAP, utilisez une stratégie d'accès au niveau du conteneur quand vous créez la SAP + + Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + + + + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + + + + The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + + Use Rivest–Shamir–Adleman (RSA) Algorithm With Sufficient Key Size Utiliser l'algorithme RSA (Rivest-Shamir-Adleman) avec une taille de clé suffisante diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.it.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.it.xlf index 21c0b56d85..128dc68e6e 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.it.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.it.xlf @@ -397,6 +397,21 @@ Se possibile, provare a usare il controllo degli accessi in base al ruolo di Azure, invece della firma di accesso condiviso. Se è necessaria una firma di accesso condiviso, usare un criterio di accesso a livello di contenitore quando si crea la firma + + Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + + + + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + + + + The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + + Use Rivest–Shamir–Adleman (RSA) Algorithm With Sufficient Key Size Usa l'algoritmo RSA (Rivest-Shamir-Adleman) con dimensione di chiave sufficiente diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ja.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ja.xlf index 1fd93b4a97..52ad0bc807 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ja.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ja.xlf @@ -397,6 +397,21 @@ 可能な場合は、Shared Access Signature (SAS) の代わりに、Azure のロールベースのアクセス制御を使用することを検討してください。依然として SAS を使用する必要がある場合は、SAS の作成時にコンテナーレベルのアクセス ポリシーを使用します + + Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + + + + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + + + + The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + + Use Rivest–Shamir–Adleman (RSA) Algorithm With Sufficient Key Size 十分なキー サイズの Rivest–Shamir–Adleman (RSA) アルゴリズムを使用します diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ko.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ko.xlf index bb12d59f4c..4aaec0caf4 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ko.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ko.xlf @@ -397,6 +397,21 @@ 가능한 경우 SAS(공유 액세스 서명) 대신 Azure의 역할 기반 액세스 제어를 사용하세요. 계속 SAS를 사용해야 할 경우 SAS를 만들 때 컨테이너 수준 액세스 정책을 사용하세요. + + Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + + + + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + + + + The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + + Use Rivest–Shamir–Adleman (RSA) Algorithm With Sufficient Key Size 충분한 키 크기로 RSA(Rivest–Shamir–Adleman) 알고리즘 사용 diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pl.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pl.xlf index 4c6718f61d..61fb75aedb 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pl.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pl.xlf @@ -397,6 +397,21 @@ Jeśli to możliwe, rozważ użycie kontroli dostępu opartej na rolach platformy Azure zamiast sygnatury dostępu współdzielonego (SAS). Jeśli nadal chcesz używać sygnatury SAS, podczas jej tworzenia użyj zasad dostępu na poziomie kontenera + + Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + + + + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + + + + The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + + Use Rivest–Shamir–Adleman (RSA) Algorithm With Sufficient Key Size Użyj algorytmu Rivest-Shamir-Adleman (RSA) z wystarczającym rozmiarem klucza diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pt-BR.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pt-BR.xlf index 63c96dcb16..d3815bcc24 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pt-BR.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pt-BR.xlf @@ -397,6 +397,21 @@ Se possível, considere usar o controle de acesso baseado em função do Azure em vez de uma SAS (Assinatura de Acesso Compartilhado). Se você ainda precisar usar uma SAS, use uma política de acesso de nível de contêiner ao criar uma SAS + + Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + + + + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + + + + The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + + Use Rivest–Shamir–Adleman (RSA) Algorithm With Sufficient Key Size Usar o Algoritmo RSA (Rivest-Shamir-Adleman) com um Tamanho de Chave Suficiente diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ru.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ru.xlf index 12bba2535a..f1742f1bd8 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ru.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ru.xlf @@ -397,6 +397,21 @@ Если возможно, попробуйте использовать управление доступом на основе ролей Azure, а не подписанный URL-адрес (SAS). Если все-таки требуется использовать SAS, при его создании примените политику доступа на уровне контейнера. + + Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + + + + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + + + + The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + + Use Rivest–Shamir–Adleman (RSA) Algorithm With Sufficient Key Size Использовать алгоритм шифрования RSA с достаточным размером ключа diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.tr.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.tr.xlf index 3aee19178f..122da9bbf3 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.tr.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.tr.xlf @@ -397,6 +397,21 @@ Mümkünse Paylaşılan Erişim İmzası (SAS) yerine Azure'un rol tabanlı erişim denetimini kullanmayı düşünün. Yine de SAS kullanmanız gerekiyorsa, SAS oluştururken kapsayıcı düzeyinde bir erişim ilkesi kullanın + + Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + + + + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + + + + The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + + Use Rivest–Shamir–Adleman (RSA) Algorithm With Sufficient Key Size Yeterli Anahtar Boyutuna Sahip Rivest–Shamir–Adleman (RSA) Algoritmasını Kullan diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hans.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hans.xlf index 9de4e5e868..b26976f866 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hans.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hans.xlf @@ -397,6 +397,21 @@ 如果可能,请考虑使用 Azure 基于角色的访问控制,而不是共享访问签名(SAS)。如果仍需使用 SAS,请在创建 SAS 时使用容器级别访问策略 + + Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + + + + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + + + + The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + + Use Rivest–Shamir–Adleman (RSA) Algorithm With Sufficient Key Size 设置具有足够密钥大小的 Rivest–Shamir–Adleman (RSA)算法 diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hant.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hant.xlf index 7efbc66d3d..b24f69199f 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hant.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hant.xlf @@ -397,6 +397,21 @@ 如果可行的話,請考慮從共用存取簽章 (SAS) 改為使用 Azure 的角色型存取控制。如果您仍需要使用 SAS,請於建立 SAS 時使用容器層級存取原則 + + Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + + + + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + + + + The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + + Use Rivest–Shamir–Adleman (RSA) Algorithm With Sufficient Key Size 使用有足夠金鑰大小的 Rivest–Shamir–Adleman (RSA) 加密演算法 diff --git a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs new file mode 100644 index 0000000000..e89603c547 --- /dev/null +++ b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs @@ -0,0 +1,160 @@ +// Copyright (c) Microsoft. All Rights Reserved. Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information. + +using Microsoft.CodeAnalysis.Diagnostics; +using Test.Utilities; +using Xunit; + +namespace Microsoft.NetCore.Analyzers.Security.UnitTests +{ + public class UseDefaultDllImportSearchPathsAttributeTests : DiagnosticAnalyzerTestBase + { + [Fact] + public void Test_NoAttribute_Diagnostic() + { + VerifyCSharp(@" +using System; +using System.Runtime.InteropServices; + +class TestClass +{ + public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); + + public void TestMethod() + { + MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); + } +}", + GetCSharpResultAt(7, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + } + + [Fact] + public void Test_DllImportAttribute_Diagnostic() + { + VerifyCSharp(@" +using System; +using System.Runtime.InteropServices; + +class TestClass +{ + [DllImport(""user32.dll"")] + public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); + + public void TestMethod() + { + MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); + } +}", + GetCSharpResultAt(8, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + } + + [Fact] + public void Test_DllImportAndDefaultDllImportSearchPathsAttributes_ApplyOnDifferentMethods_Diagnostic() + { + VerifyCSharp(@" +using System; +using System.Runtime.InteropServices; + +class TestClass +{ + [DllImport(""user32.dll"")] + public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); + + + [DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] + public static extern int AnotherMessageBox(IntPtr hWnd, String text, String caption, uint type); + +}", + GetCSharpResultAt(8, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + } + + [Fact] + public void Test_DllImportAndDefaultDllImportSearchPathsAttributes_Diagnostic() + { + VerifyCSharp(@" +using System; +using System.Runtime.InteropServices; + +class TestClass +{ + [DllImport(""user32.dll"")] + [DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] + public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); + + public void TestMethod() + { + MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); + } +}", + GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + } + + [Fact] + public void Test_DllImportAndGlobalDefaultDllImportSearchPathsAttributes_Diagnostic() + { + VerifyCSharp(@" +using System; +using System.Runtime.InteropServices; + +[assembly:DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] + +class TestClass +{ + [DllImport(""user32.dll"")] + public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); + + public void TestMethod() + { + MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); + } +}", + GetCSharpResultAt(10, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + } + + [Fact] + public void Test_DefaultDllImportSearchPaths_NoDiagnostic() + { + VerifyCSharp(@" +using System; +using System.Runtime.InteropServices; + +class TestClass +{ + [DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] + public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); + + public void TestMethod() + { + } +}"); + } + + [Fact] + public void Test_GlobalDefaultDllImportSearchPaths_NoDiagnostic() + { + VerifyCSharp(@" +using System; +using System.Runtime.InteropServices; + +[assembly:DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] + +class TestClass +{ + public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); + + public void TestMethod() + { + } +}"); + } + + protected override DiagnosticAnalyzer GetBasicDiagnosticAnalyzer() + { + return new UseDefaultDllImportSearchPathsAttribute(); + } + + protected override DiagnosticAnalyzer GetCSharpDiagnosticAnalyzer() + { + return new UseDefaultDllImportSearchPathsAttribute(); + } + } +} diff --git a/src/Utilities/Compiler/WellKnownTypeNames.cs b/src/Utilities/Compiler/WellKnownTypeNames.cs index d86b14c43d..e4d36adead 100644 --- a/src/Utilities/Compiler/WellKnownTypeNames.cs +++ b/src/Utilities/Compiler/WellKnownTypeNames.cs @@ -320,5 +320,7 @@ internal static class WellKnownTypeNames public const string SystemIOFileStream = "System.IO.FileStream"; public const string SystemIOPath = "System.IO.Path"; public const string SystemString = "System.String"; + public const string SystemRuntimeInteropServicesDllImportAttribute = "System.Runtime.InteropServices.DllImportAttribute"; + public const string SystemRuntimeInteropServicesDefaultDllImportSearchPathsAttribute = "System.Runtime.InteropServices.DefaultDllImportSearchPathsAttribute"; } } From e09d6ca733601450341f83771010d00430d7ce44 Mon Sep 17 00:00:00 2001 From: LingxiaChen Date: Tue, 9 Jul 2019 10:16:46 +0800 Subject: [PATCH 02/16] Update rule title. --- .../Core/Security/SystemSecurityCryptographyResources.resx | 2 +- .../Security/xlf/SystemSecurityCryptographyResources.cs.xlf | 4 ++-- .../Security/xlf/SystemSecurityCryptographyResources.de.xlf | 4 ++-- .../Security/xlf/SystemSecurityCryptographyResources.es.xlf | 4 ++-- .../Security/xlf/SystemSecurityCryptographyResources.fr.xlf | 4 ++-- .../Security/xlf/SystemSecurityCryptographyResources.it.xlf | 4 ++-- .../Security/xlf/SystemSecurityCryptographyResources.ja.xlf | 4 ++-- .../Security/xlf/SystemSecurityCryptographyResources.ko.xlf | 4 ++-- .../Security/xlf/SystemSecurityCryptographyResources.pl.xlf | 4 ++-- .../xlf/SystemSecurityCryptographyResources.pt-BR.xlf | 4 ++-- .../Security/xlf/SystemSecurityCryptographyResources.ru.xlf | 4 ++-- .../Security/xlf/SystemSecurityCryptographyResources.tr.xlf | 4 ++-- .../xlf/SystemSecurityCryptographyResources.zh-Hans.xlf | 4 ++-- .../xlf/SystemSecurityCryptographyResources.zh-Hant.xlf | 4 ++-- 14 files changed, 27 insertions(+), 27 deletions(-) diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/SystemSecurityCryptographyResources.resx b/src/Microsoft.NetCore.Analyzers/Core/Security/SystemSecurityCryptographyResources.resx index 2304bef8d5..8edf7f52e4 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/SystemSecurityCryptographyResources.resx +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/SystemSecurityCryptographyResources.resx @@ -397,7 +397,7 @@ When creating path for '{0} in method {1}' from relative archive item path to extract file and the source is an untrusted zip archive, make sure to sanitize relative archive item path '{2} in method {3}' - Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + Use DefaultDllImportSearchPaths Attribute For P/Invokes By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.cs.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.cs.xlf index 11642c45a5..dc135e5979 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.cs.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.cs.xlf @@ -398,8 +398,8 @@ - Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute - Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + Use DefaultDllImportSearchPaths Attribute For P/Invokes + Use DefaultDllImportSearchPaths Attribute For P/Invokes diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.de.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.de.xlf index 610ed013bb..7561fd41f9 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.de.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.de.xlf @@ -398,8 +398,8 @@ - Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute - Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + Use DefaultDllImportSearchPaths Attribute For P/Invokes + Use DefaultDllImportSearchPaths Attribute For P/Invokes diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.es.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.es.xlf index 6308f44708..fe8c0ff627 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.es.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.es.xlf @@ -398,8 +398,8 @@ - Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute - Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + Use DefaultDllImportSearchPaths Attribute For P/Invokes + Use DefaultDllImportSearchPaths Attribute For P/Invokes diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.fr.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.fr.xlf index 01c4dc9e42..4776ccd979 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.fr.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.fr.xlf @@ -398,8 +398,8 @@ - Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute - Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + Use DefaultDllImportSearchPaths Attribute For P/Invokes + Use DefaultDllImportSearchPaths Attribute For P/Invokes diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.it.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.it.xlf index 128dc68e6e..aafe16cff9 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.it.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.it.xlf @@ -398,8 +398,8 @@ - Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute - Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + Use DefaultDllImportSearchPaths Attribute For P/Invokes + Use DefaultDllImportSearchPaths Attribute For P/Invokes diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ja.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ja.xlf index 52ad0bc807..895ce70443 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ja.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ja.xlf @@ -398,8 +398,8 @@ - Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute - Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + Use DefaultDllImportSearchPaths Attribute For P/Invokes + Use DefaultDllImportSearchPaths Attribute For P/Invokes diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ko.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ko.xlf index 4aaec0caf4..e6e985d26c 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ko.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ko.xlf @@ -398,8 +398,8 @@ - Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute - Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + Use DefaultDllImportSearchPaths Attribute For P/Invokes + Use DefaultDllImportSearchPaths Attribute For P/Invokes diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pl.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pl.xlf index 61fb75aedb..751c5ef569 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pl.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pl.xlf @@ -398,8 +398,8 @@ - Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute - Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + Use DefaultDllImportSearchPaths Attribute For P/Invokes + Use DefaultDllImportSearchPaths Attribute For P/Invokes diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pt-BR.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pt-BR.xlf index d3815bcc24..950981381f 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pt-BR.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pt-BR.xlf @@ -398,8 +398,8 @@ - Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute - Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + Use DefaultDllImportSearchPaths Attribute For P/Invokes + Use DefaultDllImportSearchPaths Attribute For P/Invokes diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ru.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ru.xlf index f1742f1bd8..34821bc43e 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ru.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ru.xlf @@ -398,8 +398,8 @@ - Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute - Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + Use DefaultDllImportSearchPaths Attribute For P/Invokes + Use DefaultDllImportSearchPaths Attribute For P/Invokes diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.tr.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.tr.xlf index 122da9bbf3..20dfe560ae 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.tr.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.tr.xlf @@ -398,8 +398,8 @@ - Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute - Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + Use DefaultDllImportSearchPaths Attribute For P/Invokes + Use DefaultDllImportSearchPaths Attribute For P/Invokes diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hans.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hans.xlf index b26976f866..f575aca5b5 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hans.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hans.xlf @@ -398,8 +398,8 @@ - Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute - Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + Use DefaultDllImportSearchPaths Attribute For P/Invokes + Use DefaultDllImportSearchPaths Attribute For P/Invokes diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hant.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hant.xlf index b24f69199f..107ed3404c 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hant.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hant.xlf @@ -398,8 +398,8 @@ - Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute - Use DllImport Attribute Along With DefaultDllImportSearchPaths Attribute + Use DefaultDllImportSearchPaths Attribute For P/Invokes + Use DefaultDllImportSearchPaths Attribute For P/Invokes From 2a7eecc0a8b22cadd657221d31b0f153857c5d73 Mon Sep 17 00:00:00 2001 From: LingxiaChen Date: Fri, 12 Jul 2019 15:23:00 +0800 Subject: [PATCH 03/16] Update rule message. --- .../Core/Security/SystemSecurityCryptographyResources.resx | 2 +- .../Security/xlf/SystemSecurityCryptographyResources.cs.xlf | 4 ++-- .../Security/xlf/SystemSecurityCryptographyResources.de.xlf | 4 ++-- .../Security/xlf/SystemSecurityCryptographyResources.es.xlf | 4 ++-- .../Security/xlf/SystemSecurityCryptographyResources.fr.xlf | 4 ++-- .../Security/xlf/SystemSecurityCryptographyResources.it.xlf | 4 ++-- .../Security/xlf/SystemSecurityCryptographyResources.ja.xlf | 4 ++-- .../Security/xlf/SystemSecurityCryptographyResources.ko.xlf | 4 ++-- .../Security/xlf/SystemSecurityCryptographyResources.pl.xlf | 4 ++-- .../xlf/SystemSecurityCryptographyResources.pt-BR.xlf | 4 ++-- .../Security/xlf/SystemSecurityCryptographyResources.ru.xlf | 4 ++-- .../Security/xlf/SystemSecurityCryptographyResources.tr.xlf | 4 ++-- .../xlf/SystemSecurityCryptographyResources.zh-Hans.xlf | 4 ++-- .../xlf/SystemSecurityCryptographyResources.zh-Hant.xlf | 4 ++-- 14 files changed, 27 insertions(+), 27 deletions(-) diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/SystemSecurityCryptographyResources.resx b/src/Microsoft.NetCore.Analyzers/Core/Security/SystemSecurityCryptographyResources.resx index 8edf7f52e4..5399ca8c30 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/SystemSecurityCryptographyResources.resx +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/SystemSecurityCryptographyResources.resx @@ -403,6 +403,6 @@ By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. - The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. \ No newline at end of file diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.cs.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.cs.xlf index dc135e5979..39d16d3489 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.cs.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.cs.xlf @@ -408,8 +408,8 @@ - The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. - The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. + The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.de.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.de.xlf index 7561fd41f9..5f56e3c536 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.de.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.de.xlf @@ -408,8 +408,8 @@ - The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. - The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. + The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.es.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.es.xlf index fe8c0ff627..0f88d28927 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.es.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.es.xlf @@ -408,8 +408,8 @@ - The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. - The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. + The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.fr.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.fr.xlf index 4776ccd979..b69a88e749 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.fr.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.fr.xlf @@ -408,8 +408,8 @@ - The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. - The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. + The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.it.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.it.xlf index aafe16cff9..f3e1238272 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.it.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.it.xlf @@ -408,8 +408,8 @@ - The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. - The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. + The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ja.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ja.xlf index 895ce70443..54d4875496 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ja.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ja.xlf @@ -408,8 +408,8 @@ - The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. - The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. + The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ko.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ko.xlf index e6e985d26c..5653602760 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ko.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ko.xlf @@ -408,8 +408,8 @@ - The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. - The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. + The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pl.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pl.xlf index 751c5ef569..38923f2ac5 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pl.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pl.xlf @@ -408,8 +408,8 @@ - The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. - The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. + The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pt-BR.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pt-BR.xlf index 950981381f..e145b06755 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pt-BR.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pt-BR.xlf @@ -408,8 +408,8 @@ - The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. - The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. + The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ru.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ru.xlf index 34821bc43e..61f83a3cbc 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ru.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ru.xlf @@ -408,8 +408,8 @@ - The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. - The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. + The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.tr.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.tr.xlf index 20dfe560ae..c6011bd88c 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.tr.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.tr.xlf @@ -408,8 +408,8 @@ - The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. - The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. + The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hans.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hans.xlf index f575aca5b5..860d933a02 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hans.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hans.xlf @@ -408,8 +408,8 @@ - The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. - The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. + The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hant.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hant.xlf index 107ed3404c..0fb1e83e8d 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hant.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hant.xlf @@ -408,8 +408,8 @@ - The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. - The method {0} uses DllImport attribute explicitly or implicitly for P/Invokes. + The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. + The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. From 3207b5fc344c26aa559ac137d19fcb8b2b24ee27 Mon Sep 17 00:00:00 2001 From: LingxiaChen Date: Fri, 12 Jul 2019 17:58:35 +0800 Subject: [PATCH 04/16] Update. --- ...UseDefaultDllImportSearchPathsAttribute.cs | 34 ++++++++++++----- ...faultDllImportSearchPathsAttributeTests.cs | 38 +++++++++---------- 2 files changed, 43 insertions(+), 29 deletions(-) diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs b/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs index f2c4c33116..734d67e2b7 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs @@ -1,6 +1,8 @@ // Copyright (c) Microsoft. All Rights Reserved. Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information. +using System; using System.Collections.Immutable; +using System.IO; using System.Linq; using Analyzer.Utilities; using Analyzer.Utilities.Extensions; @@ -69,21 +71,35 @@ public override void Initialize(AnalysisContext context) { var symbol = symbolAnalysisContext.Symbol; - if (!symbol.IsExtern) + if (!symbol.IsExtern || !symbol.IsStatic) { return; } - var attributeClasses = symbol.GetAttributes().Select(o => o.AttributeClass); + var dllImportAttribute = symbol.GetAttributes().FirstOrDefault(s => s.AttributeClass.Equals(dllImportAttributeTypeSymbol)); + var defaultDllImportSearchPathsAttribute = symbol.GetAttributes().FirstOrDefault(s => s.AttributeClass.Equals(defaultDllImportSearchPathsAttributeTypeSymbol)); - if (attributeClasses.Contains(dllImportAttributeTypeSymbol) || - (!attributeClasses.Contains(defaultDllImportSearchPathsAttributeTypeSymbol) && - !hasDefaultDllImportSearchPathsAttribute)) + if (dllImportAttribute != null) { - symbolAnalysisContext.ReportDiagnostic( - symbol.CreateDiagnostic( - Rule, - symbol.Name)); + var constructorArguments = dllImportAttribute.ConstructorArguments; + + if (constructorArguments.Length == 0) + { + return; + } + + var dllPath = constructorArguments[0].Value.ToString(); + + if ((Path.IsPathRooted(dllPath) && + dllPath.EndsWith(".dll", StringComparison.Ordinal)) || + (!hasDefaultDllImportSearchPathsAttribute && + defaultDllImportSearchPathsAttribute == null)) + { + symbolAnalysisContext.ReportDiagnostic( + symbol.CreateDiagnostic( + Rule, + symbol.Name)); + } } }, SymbolKind.Method); }); diff --git a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs index e89603c547..b5dced717b 100644 --- a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs +++ b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs @@ -9,7 +9,7 @@ namespace Microsoft.NetCore.Analyzers.Security.UnitTests public class UseDefaultDllImportSearchPathsAttributeTests : DiagnosticAnalyzerTestBase { [Fact] - public void Test_NoAttribute_Diagnostic() + public void Test_DllImportAttribute_Diagnostic() { VerifyCSharp(@" using System; @@ -17,6 +17,7 @@ public void Test_NoAttribute_Diagnostic() class TestClass { + [DllImport(""user32.dll"")] public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); public void TestMethod() @@ -24,11 +25,11 @@ public void TestMethod() MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); } }", - GetCSharpResultAt(7, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + GetCSharpResultAt(8, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); } [Fact] - public void Test_DllImportAttribute_Diagnostic() + public void Test_DllImportAttributeWithAbsolutePath_Diagnostic() { VerifyCSharp(@" using System; @@ -36,7 +37,8 @@ public void Test_DllImportAttribute_Diagnostic() class TestClass { - [DllImport(""user32.dll"")] + [DllImport(""C:\\\\Windows\\System32\\user32.dll"")] + [DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); public void TestMethod() @@ -44,11 +46,11 @@ public void TestMethod() MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); } }", - GetCSharpResultAt(8, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); } [Fact] - public void Test_DllImportAndDefaultDllImportSearchPathsAttributes_ApplyOnDifferentMethods_Diagnostic() + public void Test_NoAttribute_NoDiagnostic() { VerifyCSharp(@" using System; @@ -56,19 +58,17 @@ public void Test_DllImportAndDefaultDllImportSearchPathsAttributes_ApplyOnDiffer class TestClass { - [DllImport(""user32.dll"")] public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); - - [DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] - public static extern int AnotherMessageBox(IntPtr hWnd, String text, String caption, uint type); - -}", - GetCSharpResultAt(8, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + public void TestMethod() + { + MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); + } +}"); } [Fact] - public void Test_DllImportAndDefaultDllImportSearchPathsAttributes_Diagnostic() + public void Test_DllImportAndDefaultDllImportSearchPathsAttributes_NoDiagnostic() { VerifyCSharp(@" using System; @@ -84,12 +84,11 @@ public void TestMethod() { MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); } -}", - GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); +}"); } [Fact] - public void Test_DllImportAndGlobalDefaultDllImportSearchPathsAttributes_Diagnostic() + public void Test_DllImportAndAssemblyDefaultDllImportSearchPathsAttributes_NoDiagnostic() { VerifyCSharp(@" using System; @@ -106,8 +105,7 @@ public void TestMethod() { MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); } -}", - GetCSharpResultAt(10, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); +}"); } [Fact] @@ -129,7 +127,7 @@ public void TestMethod() } [Fact] - public void Test_GlobalDefaultDllImportSearchPaths_NoDiagnostic() + public void Test_AssemblyDefaultDllImportSearchPaths_NoDiagnostic() { VerifyCSharp(@" using System; From c9e610803a81947ebb57886ace5f9c4eeaec3f5d Mon Sep 17 00:00:00 2001 From: LingxiaChen Date: Mon, 15 Jul 2019 10:21:05 +0800 Subject: [PATCH 05/16] Add comment to test cases. --- ...seDefaultDllImportSearchPathsAttributeTests.cs | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs index b5dced717b..9b136b008e 100644 --- a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs +++ b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs @@ -8,6 +8,13 @@ namespace Microsoft.NetCore.Analyzers.Security.UnitTests { public class UseDefaultDllImportSearchPathsAttributeTests : DiagnosticAnalyzerTestBase { + // It will try to retrieve the MessageBox from user32.dll, which will be searched in a default order: + // 1. The directory from which the application is loaded. + // 2. The current directory. + // 3. The system directory, usually C:\\Windows\\System32\\ (The GetSystemDirectory function is called to obtain this directory.). + // 4. The 16-bit system directory – There is no dedicated function to retrieve the path of this directory, but it is searched as well. + // 5. The Windows directory. The GetWindowsDirectory function is called to obtain this directory. + // 6. The directories that are listed in the PATH environment variable [Fact] public void Test_DllImportAttribute_Diagnostic() { @@ -28,6 +35,8 @@ public void TestMethod() GetCSharpResultAt(8, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); } + // [DllImport] is set with an absolute path, which will let the [DefaultDllImportSearchPaths] be ignored. + // So user32.dll will also be searched in the default order. [Fact] public void Test_DllImportAttributeWithAbsolutePath_Diagnostic() { @@ -49,6 +58,7 @@ public void TestMethod() GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); } + // It will have a compiler warning and recommend to use [DllImport]. So, there's no need to flag a diagnostic for this case. [Fact] public void Test_NoAttribute_NoDiagnostic() { @@ -67,6 +77,7 @@ public void TestMethod() }"); } + // user32.dll will be searched in UserDirectories, which is specified by DllImportSearchPath and is good. [Fact] public void Test_DllImportAndDefaultDllImportSearchPathsAttributes_NoDiagnostic() { @@ -87,6 +98,8 @@ public void TestMethod() }"); } + // In this case, [DefaultDllImportSearchPaths] is applied to the assembly. + // So, this attribute specifies the paths that are used by default to search for any DLL that provides a function for a platform invoke, in any code in the assembly. [Fact] public void Test_DllImportAndAssemblyDefaultDllImportSearchPathsAttributes_NoDiagnostic() { @@ -108,6 +121,7 @@ public void TestMethod() }"); } + // It will have a compiler warning and recommend to use [DllImport] also. [Fact] public void Test_DefaultDllImportSearchPaths_NoDiagnostic() { @@ -126,6 +140,7 @@ public void TestMethod() }"); } + // It will have a compiler warning and recommend to use [DllImport] also. [Fact] public void Test_AssemblyDefaultDllImportSearchPaths_NoDiagnostic() { From 314ec658bf1cfd653d6609bb2d15bb82fb55d0da Mon Sep 17 00:00:00 2001 From: LingxiaChen Date: Mon, 15 Jul 2019 13:46:12 +0800 Subject: [PATCH 06/16] Add comment about the Known Dlls. --- .../Security/UseDefaultDllImportSearchPathsAttributeTests.cs | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs index 9b136b008e..76c475e7df 100644 --- a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs +++ b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs @@ -6,6 +6,11 @@ namespace Microsoft.NetCore.Analyzers.Security.UnitTests { + // All the test cases use user32.dll as an example, + // however it is a commonly used system dll and will be influenced by Known Dlls mechanism, + // which will ignore all the configuration about the search algorithm. + // Fow now, this rule didn't take Known Dlls into consideration. + // If it is needed in the future, we can recover this rule. public class UseDefaultDllImportSearchPathsAttributeTests : DiagnosticAnalyzerTestBase { // It will try to retrieve the MessageBox from user32.dll, which will be searched in a default order: From dd1ff210e7ab4cef00e6725c0335111bea62de9a Mon Sep 17 00:00:00 2001 From: LingxiaChen Date: Thu, 18 Jul 2019 12:44:47 +0800 Subject: [PATCH 07/16] Remove the dll extension limitaion. --- .../SystemSecurityCryptographyResources.resx | 2 +- ...UseDefaultDllImportSearchPathsAttribute.cs | 5 +- ...SystemSecurityCryptographyResources.cs.xlf | 4 +- ...SystemSecurityCryptographyResources.de.xlf | 4 +- ...SystemSecurityCryptographyResources.es.xlf | 4 +- ...SystemSecurityCryptographyResources.fr.xlf | 4 +- ...SystemSecurityCryptographyResources.it.xlf | 4 +- ...SystemSecurityCryptographyResources.ja.xlf | 4 +- ...SystemSecurityCryptographyResources.ko.xlf | 4 +- ...SystemSecurityCryptographyResources.pl.xlf | 4 +- ...temSecurityCryptographyResources.pt-BR.xlf | 4 +- ...SystemSecurityCryptographyResources.ru.xlf | 4 +- ...SystemSecurityCryptographyResources.tr.xlf | 4 +- ...mSecurityCryptographyResources.zh-Hans.xlf | 4 +- ...mSecurityCryptographyResources.zh-Hant.xlf | 4 +- ...faultDllImportSearchPathsAttributeTests.cs | 51 ++++++++++++++++--- 16 files changed, 71 insertions(+), 39 deletions(-) diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/SystemSecurityCryptographyResources.resx b/src/Microsoft.NetCore.Analyzers/Core/Security/SystemSecurityCryptographyResources.resx index 5399ca8c30..0d2234b4d2 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/SystemSecurityCryptographyResources.resx +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/SystemSecurityCryptographyResources.resx @@ -400,7 +400,7 @@ Use DefaultDllImportSearchPaths Attribute For P/Invokes - By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs b/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs index 734d67e2b7..5ac5139237 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs @@ -88,10 +88,7 @@ public override void Initialize(AnalysisContext context) return; } - var dllPath = constructorArguments[0].Value.ToString(); - - if ((Path.IsPathRooted(dllPath) && - dllPath.EndsWith(".dll", StringComparison.Ordinal)) || + if ((Path.IsPathRooted(constructorArguments[0].Value.ToString())) || (!hasDefaultDllImportSearchPathsAttribute && defaultDllImportSearchPathsAttribute == null)) { diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.cs.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.cs.xlf index 39d16d3489..59a0a9b59a 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.cs.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.cs.xlf @@ -403,8 +403,8 @@ - By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. - By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.de.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.de.xlf index 5f56e3c536..5e58458c7c 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.de.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.de.xlf @@ -403,8 +403,8 @@ - By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. - By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.es.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.es.xlf index 0f88d28927..4e56a5bebc 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.es.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.es.xlf @@ -403,8 +403,8 @@ - By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. - By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.fr.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.fr.xlf index b69a88e749..ce26055af2 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.fr.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.fr.xlf @@ -403,8 +403,8 @@ - By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. - By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.it.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.it.xlf index f3e1238272..b17e8afdd2 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.it.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.it.xlf @@ -403,8 +403,8 @@ - By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. - By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ja.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ja.xlf index 54d4875496..a3178c541b 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ja.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ja.xlf @@ -403,8 +403,8 @@ - By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. - By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ko.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ko.xlf index 5653602760..e15e57ee1a 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ko.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ko.xlf @@ -403,8 +403,8 @@ - By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. - By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pl.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pl.xlf index 38923f2ac5..592ccdc023 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pl.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pl.xlf @@ -403,8 +403,8 @@ - By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. - By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pt-BR.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pt-BR.xlf index e145b06755..dfbbf15a3b 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pt-BR.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.pt-BR.xlf @@ -403,8 +403,8 @@ - By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. - By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ru.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ru.xlf index 61f83a3cbc..1a8fe133b8 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ru.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ru.xlf @@ -403,8 +403,8 @@ - By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. - By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.tr.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.tr.xlf index c6011bd88c..29a32bc9ba 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.tr.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.tr.xlf @@ -403,8 +403,8 @@ - By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. - By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hans.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hans.xlf index 860d933a02..c10fc4882e 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hans.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hans.xlf @@ -403,8 +403,8 @@ - By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. - By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hant.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hant.xlf index 0fb1e83e8d..29be32b4be 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hant.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.zh-Hant.xlf @@ -403,8 +403,8 @@ - By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. - By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to dll hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. + By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. diff --git a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs index 76c475e7df..8e333a7bf6 100644 --- a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs +++ b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs @@ -13,13 +13,7 @@ namespace Microsoft.NetCore.Analyzers.Security.UnitTests // If it is needed in the future, we can recover this rule. public class UseDefaultDllImportSearchPathsAttributeTests : DiagnosticAnalyzerTestBase { - // It will try to retrieve the MessageBox from user32.dll, which will be searched in a default order: - // 1. The directory from which the application is loaded. - // 2. The current directory. - // 3. The system directory, usually C:\\Windows\\System32\\ (The GetSystemDirectory function is called to obtain this directory.). - // 4. The 16-bit system directory – There is no dedicated function to retrieve the path of this directory, but it is searched as well. - // 5. The Windows directory. The GetWindowsDirectory function is called to obtain this directory. - // 6. The directories that are listed in the PATH environment variable + // It will try to retrieve the MessageBox from user32.dll, which will be searched in a default order. [Fact] public void Test_DllImportAttribute_Diagnostic() { @@ -41,7 +35,6 @@ public void TestMethod() } // [DllImport] is set with an absolute path, which will let the [DefaultDllImportSearchPaths] be ignored. - // So user32.dll will also be searched in the default order. [Fact] public void Test_DllImportAttributeWithAbsolutePath_Diagnostic() { @@ -55,6 +48,48 @@ class TestClass [DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); + public void TestMethod() + { + MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); + } +}", + GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + } + + [Fact] + public void Test_DllInUpperCase_Diagnostic() + { + VerifyCSharp(@" +using System; +using System.Runtime.InteropServices; + +class TestClass +{ + [DllImport(""C:\\\\Windows\\System32\\user32.DLL"")] + [DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] + public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); + + public void TestMethod() + { + MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); + } +}", + GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + } + + [Fact] + public void Test_WithoutDllExtension_Diagnostic() + { + VerifyCSharp(@" +using System; +using System.Runtime.InteropServices; + +class TestClass +{ + [DllImport(""C:\\\\Windows\\System32\\user32"")] + [DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] + public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); + public void TestMethod() { MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); From 03a415180abfeec3060b37d0155694364471cbb6 Mon Sep 17 00:00:00 2001 From: LingxiaChen Date: Thu, 18 Jul 2019 14:33:48 +0800 Subject: [PATCH 08/16] Add a test case using nonexistent absolute path. --- ...faultDllImportSearchPathsAttributeTests.cs | 27 ++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs index 8e333a7bf6..3f87321d49 100644 --- a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs +++ b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs @@ -44,7 +44,7 @@ public void Test_DllImportAttributeWithAbsolutePath_Diagnostic() class TestClass { - [DllImport(""C:\\\\Windows\\System32\\user32.dll"")] + [DllImport(""C:\\Windows\\System32\\user32.dll"")] [DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); @@ -65,7 +65,7 @@ public void Test_DllInUpperCase_Diagnostic() class TestClass { - [DllImport(""C:\\\\Windows\\System32\\user32.DLL"")] + [DllImport(""C:\\Windows\\System32\\user32.DLL"")] [DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); @@ -86,7 +86,28 @@ public void Test_WithoutDllExtension_Diagnostic() class TestClass { - [DllImport(""C:\\\\Windows\\System32\\user32"")] + [DllImport(""C:\\Windows\\System32\\user32"")] + [DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] + public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); + + public void TestMethod() + { + MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); + } +}", + GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + } + + [Fact] + public void Test_UsingNonexistentAbsolutePath_Diagnostic() + { + VerifyCSharp(@" +using System; +using System.Runtime.InteropServices; + +class TestClass +{ + [DllImport(""C:\\Nonexistent\\user32.DLL"")] [DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); From 4eb57f0f55a42d18ec3bd06e94c5793f99b16aef Mon Sep 17 00:00:00 2001 From: LingxiaChen Date: Mon, 22 Jul 2019 13:32:04 +0800 Subject: [PATCH 09/16] Mark cases using absolute path to import dll as NoDiagnostic. --- ...UseDefaultDllImportSearchPathsAttribute.cs | 6 +- ...faultDllImportSearchPathsAttributeTests.cs | 66 +++++++++---------- 2 files changed, 34 insertions(+), 38 deletions(-) diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs b/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs index 5ac5139237..d429d9cd52 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs @@ -88,9 +88,9 @@ public override void Initialize(AnalysisContext context) return; } - if ((Path.IsPathRooted(constructorArguments[0].Value.ToString())) || - (!hasDefaultDllImportSearchPathsAttribute && - defaultDllImportSearchPathsAttribute == null)) + if (!Path.IsPathRooted(constructorArguments[0].Value.ToString()) && + !hasDefaultDllImportSearchPathsAttribute && + defaultDllImportSearchPathsAttribute == null) { symbolAnalysisContext.ReportDiagnostic( symbol.CreateDiagnostic( diff --git a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs index 3f87321d49..13b0ab18c9 100644 --- a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs +++ b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs @@ -34,9 +34,8 @@ public void TestMethod() GetCSharpResultAt(8, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); } - // [DllImport] is set with an absolute path, which will let the [DefaultDllImportSearchPaths] be ignored. [Fact] - public void Test_DllImportAttributeWithAbsolutePath_Diagnostic() + public void Test_DllInUpperCase_Diagnostic() { VerifyCSharp(@" using System; @@ -44,8 +43,7 @@ public void Test_DllImportAttributeWithAbsolutePath_Diagnostic() class TestClass { - [DllImport(""C:\\Windows\\System32\\user32.dll"")] - [DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] + [DllImport(""user32.DLL"")] public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); public void TestMethod() @@ -53,11 +51,11 @@ public void TestMethod() MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); } }", - GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + GetCSharpResultAt(8, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); } [Fact] - public void Test_DllInUpperCase_Diagnostic() + public void Test_WithoutDllExtension_Diagnostic() { VerifyCSharp(@" using System; @@ -65,8 +63,7 @@ public void Test_DllInUpperCase_Diagnostic() class TestClass { - [DllImport(""C:\\Windows\\System32\\user32.DLL"")] - [DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] + [DllImport(""user32"")] public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); public void TestMethod() @@ -74,11 +71,12 @@ public void TestMethod() MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); } }", - GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + GetCSharpResultAt(8, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); } + // It will have a compiler warning and recommend to use [DllImport]. So, there's no need to flag a diagnostic for this case. [Fact] - public void Test_WithoutDllExtension_Diagnostic() + public void Test_NoAttribute_NoDiagnostic() { VerifyCSharp(@" using System; @@ -86,20 +84,18 @@ public void Test_WithoutDllExtension_Diagnostic() class TestClass { - [DllImport(""C:\\Windows\\System32\\user32"")] - [DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); public void TestMethod() { MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); } -}", - GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); +}"); } + // user32.dll will be searched in UserDirectories, which is specified by DllImportSearchPath and is good. [Fact] - public void Test_UsingNonexistentAbsolutePath_Diagnostic() + public void Test_DllImportAndDefaultDllImportSearchPathsAttributes_NoDiagnostic() { VerifyCSharp(@" using System; @@ -107,7 +103,7 @@ public void Test_UsingNonexistentAbsolutePath_Diagnostic() class TestClass { - [DllImport(""C:\\Nonexistent\\user32.DLL"")] + [DllImport(""user32.dll"")] [DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); @@ -115,20 +111,23 @@ public void TestMethod() { MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); } -}", - GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); +}"); } - // It will have a compiler warning and recommend to use [DllImport]. So, there's no need to flag a diagnostic for this case. + // In this case, [DefaultDllImportSearchPaths] is applied to the assembly. + // So, this attribute specifies the paths that are used by default to search for any DLL that provides a function for a platform invoke, in any code in the assembly. [Fact] - public void Test_NoAttribute_NoDiagnostic() + public void Test_DllImportAndAssemblyDefaultDllImportSearchPathsAttributes_NoDiagnostic() { VerifyCSharp(@" using System; using System.Runtime.InteropServices; +[assembly:DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] + class TestClass { + [DllImport(""user32.dll"")] public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); public void TestMethod() @@ -138,9 +137,9 @@ public void TestMethod() }"); } - // user32.dll will be searched in UserDirectories, which is specified by DllImportSearchPath and is good. + // It will have a compiler warning and recommend to use [DllImport] also. [Fact] - public void Test_DllImportAndDefaultDllImportSearchPathsAttributes_NoDiagnostic() + public void Test_DefaultDllImportSearchPaths_NoDiagnostic() { VerifyCSharp(@" using System; @@ -148,21 +147,18 @@ public void Test_DllImportAndDefaultDllImportSearchPathsAttributes_NoDiagnostic( class TestClass { - [DllImport(""user32.dll"")] [DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); public void TestMethod() { - MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); } }"); } - // In this case, [DefaultDllImportSearchPaths] is applied to the assembly. - // So, this attribute specifies the paths that are used by default to search for any DLL that provides a function for a platform invoke, in any code in the assembly. + // It will have a compiler warning and recommend to use [DllImport] also. [Fact] - public void Test_DllImportAndAssemblyDefaultDllImportSearchPathsAttributes_NoDiagnostic() + public void Test_AssemblyDefaultDllImportSearchPaths_NoDiagnostic() { VerifyCSharp(@" using System; @@ -172,19 +168,17 @@ public void Test_DllImportAndAssemblyDefaultDllImportSearchPathsAttributes_NoDia class TestClass { - [DllImport(""user32.dll"")] public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); public void TestMethod() { - MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); } }"); } - // It will have a compiler warning and recommend to use [DllImport] also. + // [DllImport] is set with an absolute path, which will let the [DefaultDllImportSearchPaths] be ignored. [Fact] - public void Test_DefaultDllImportSearchPaths_NoDiagnostic() + public void Test_DllImportAttributeWithAbsolutePath_NoDiagnostic() { VerifyCSharp(@" using System; @@ -192,31 +186,33 @@ public void Test_DefaultDllImportSearchPaths_NoDiagnostic() class TestClass { + [DllImport(""C:\\Windows\\System32\\user32.dll"")] [DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); public void TestMethod() { + MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); } }"); } - // It will have a compiler warning and recommend to use [DllImport] also. [Fact] - public void Test_AssemblyDefaultDllImportSearchPaths_NoDiagnostic() + public void Test_UsingNonexistentAbsolutePath_NoDiagnostic() { VerifyCSharp(@" using System; using System.Runtime.InteropServices; -[assembly:DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] - class TestClass { + [DllImport(""C:\\Nonexistent\\user32.dll"")] + [DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); public void TestMethod() { + MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); } }"); } From 67a066e46a97681610e5f69b2bc26ca785ce305b Mon Sep 17 00:00:00 2001 From: LingxiaChen Date: Mon, 22 Jul 2019 13:35:42 +0800 Subject: [PATCH 10/16] Add a test case. --- ...faultDllImportSearchPathsAttributeTests.cs | 22 ++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs index 13b0ab18c9..916501f108 100644 --- a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs +++ b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs @@ -178,7 +178,7 @@ public void TestMethod() // [DllImport] is set with an absolute path, which will let the [DefaultDllImportSearchPaths] be ignored. [Fact] - public void Test_DllImportAttributeWithAbsolutePath_NoDiagnostic() + public void Test_DllImportAttributeWithAbsolutePath_DefaultDllImportSearchPaths_NoDiagnostic() { VerifyCSharp(@" using System; @@ -190,6 +190,26 @@ class TestClass [DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); + public void TestMethod() + { + MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); + } +}"); + } + + // [DllImport] is set with an absolute path. + [Fact] + public void Test_DllImportAttributeWithAbsolutePath_NoDiagnostic() + { + VerifyCSharp(@" +using System; +using System.Runtime.InteropServices; + +class TestClass +{ + [DllImport(""C:\\Windows\\System32\\user32.dll"")] + public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); + public void TestMethod() { MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); From b66bb5415197d628ed50f161f73695388744fb2d Mon Sep 17 00:00:00 2001 From: LingxiaChen Date: Wed, 24 Jul 2019 14:26:16 +0800 Subject: [PATCH 11/16] Do not use AssemblyDirectory, LegacyBehavior, UseDllDirectoryForDependencies. --- docs/Analyzer Configuration.md | 9 ++ ...UseDefaultDllImportSearchPathsAttribute.cs | 50 +++++-- ...faultDllImportSearchPathsAttributeTests.cs | 130 ++++++++++++++++++ .../Options/EditorConfigOptionNames.cs | 6 + 4 files changed, 182 insertions(+), 13 deletions(-) diff --git a/docs/Analyzer Configuration.md b/docs/Analyzer Configuration.md index 442184d588..5a1d3d0377 100644 --- a/docs/Analyzer Configuration.md +++ b/docs/Analyzer Configuration.md @@ -285,3 +285,12 @@ Option Values: integral values Default Value: Specific to each configurable rule ('100000' by default for most rules) Example: `dotnet_net_core.CA5387.sufficient_IterationCount_for_weak_KDF_algorithm = 100000` + +#### Configure unsafe DllImportSearchPath values when using DefaultDllImportSearchPaths attribute +Option Name: `unsafe_DllImportSearchPath_values` + +Option Values: Enumeration values + +Default Value: Specific to each configurable rule ('258' by default for most rules) + +Example: `dotnet_net_core.CA5392.unsafe_DllImportSearchPath_values = 2 | 256` diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs b/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs index d429d9cd52..91c859a9a4 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs @@ -29,6 +29,9 @@ public sealed class UseDefaultDllImportSearchPathsAttribute : DiagnosticAnalyzer SystemSecurityCryptographyResources.ResourceManager, typeof(SystemSecurityCryptographyResources)); + private const int UnsafeBits = 2 | 256; + private const int LegacyBehavior = 0; + internal static DiagnosticDescriptor Rule = new DiagnosticDescriptor( DiagnosticId, s_Title, @@ -60,12 +63,14 @@ public override void Initialize(AnalysisContext context) return; } - var hasDefaultDllImportSearchPathsAttribute = false; - - if (compilation.Assembly.GetAttributes().Select(o => o.AttributeClass).Contains(defaultDllImportSearchPathsAttributeTypeSymbol)) - { - hasDefaultDllImportSearchPathsAttribute = true; - } + var cancellationToken = compilationStartAnalysisContext.CancellationToken; + var unsafeDllImportSearchPathValues = compilationStartAnalysisContext.Options.GetUnsignedIntegralOptionValue( + optionName: EditorConfigOptionNames.UnsafeDllImportSearchPathValues, + rule: Rule, + defaultValue: UnsafeBits, + cancellationToken: cancellationToken); + var defaultDllImportSearchPathsAttributeOnAssembly = compilation.Assembly.GetAttributes().FirstOrDefault(o => o.AttributeClass.Equals(defaultDllImportSearchPathsAttributeTypeSymbol)); + var dllImportSearchPathOnAssembly = defaultDllImportSearchPathsAttributeOnAssembly == null ? -1 : (int)defaultDllImportSearchPathsAttributeOnAssembly.ConstructorArguments.FirstOrDefault().Value; compilationStartAnalysisContext.RegisterSymbolAction(symbolAnalysisContext => { @@ -78,6 +83,7 @@ public override void Initialize(AnalysisContext context) var dllImportAttribute = symbol.GetAttributes().FirstOrDefault(s => s.AttributeClass.Equals(dllImportAttributeTypeSymbol)); var defaultDllImportSearchPathsAttribute = symbol.GetAttributes().FirstOrDefault(s => s.AttributeClass.Equals(defaultDllImportSearchPathsAttributeTypeSymbol)); + var dllImportSearchPath = defaultDllImportSearchPathsAttribute == null ? -1 : (int)defaultDllImportSearchPathsAttribute.ConstructorArguments.FirstOrDefault().Value; if (dllImportAttribute != null) { @@ -88,15 +94,33 @@ public override void Initialize(AnalysisContext context) return; } - if (!Path.IsPathRooted(constructorArguments[0].Value.ToString()) && - !hasDefaultDllImportSearchPathsAttribute && - defaultDllImportSearchPathsAttribute == null) + if (Path.IsPathRooted(constructorArguments[0].Value.ToString())) { - symbolAnalysisContext.ReportDiagnostic( - symbol.CreateDiagnostic( - Rule, - symbol.Name)); + return; } + + if (dllImportSearchPath == -1) + { + if (dllImportSearchPathOnAssembly != -1 && + dllImportSearchPathOnAssembly != LegacyBehavior && + (dllImportSearchPathOnAssembly & unsafeDllImportSearchPathValues) == 0) + { + return; + } + } + else + { + if (dllImportSearchPath != LegacyBehavior && + (dllImportSearchPath & unsafeDllImportSearchPathValues) == 0) + { + return; + } + } + + symbolAnalysisContext.ReportDiagnostic( + symbol.CreateDiagnostic( + Rule, + symbol.Name)); } }, SymbolKind.Method); }); diff --git a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs index 916501f108..5c5b113ec1 100644 --- a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs +++ b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs @@ -114,6 +114,136 @@ public void TestMethod() }"); } + [Fact] + public void Test_DllImportSearchPathAssemblyDirectory_Diagnostic() + { + VerifyCSharp(@" +using System; +using System.Runtime.InteropServices; + +class TestClass +{ + [DllImport(""user32.dll"")] + [DefaultDllImportSearchPaths(DllImportSearchPath.AssemblyDirectory)] + public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); + + public void TestMethod() + { + MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); + } +}", + GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + } + + [Fact] + public void Test_DllImportSearchPathLegacyBehavior_Diagnostic() + { + VerifyCSharp(@" +using System; +using System.Runtime.InteropServices; + +class TestClass +{ + [DllImport(""user32.dll"")] + [DefaultDllImportSearchPaths(DllImportSearchPath.LegacyBehavior)] + public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); + + public void TestMethod() + { + MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); + } +}", + GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + } + + [Fact] + public void Test_DllImportSearchPathUseDllDirectoryForDependencies_Diagnostic() + { + VerifyCSharp(@" +using System; +using System.Runtime.InteropServices; + +class TestClass +{ + [DllImport(""user32.dll"")] + [DefaultDllImportSearchPaths(DllImportSearchPath.UseDllDirectoryForDependencies)] + public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); + + public void TestMethod() + { + MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); + } +}", + GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + } + + [Fact] + public void Test_DllImportSearchPathAssemblyDirectory_Assembly_Diagnostic() + { + VerifyCSharp(@" +using System; +using System.Runtime.InteropServices; + +[assembly:DefaultDllImportSearchPaths(DllImportSearchPath.AssemblyDirectory)] + +class TestClass +{ + [DllImport(""user32.dll"")] + public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); + + public void TestMethod() + { + MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); + } +}", + GetCSharpResultAt(10, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + } + + [Fact] + public void Test_AssemblyDirectory_ApplicationDirectory_NoDiagnostic() + { + VerifyCSharp(@" +using System; +using System.Runtime.InteropServices; + +[assembly:DefaultDllImportSearchPaths(DllImportSearchPath.AssemblyDirectory)] + +class TestClass +{ + [DllImport(""user32.dll"")] + [DefaultDllImportSearchPaths(DllImportSearchPath.ApplicationDirectory)] + public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); + + public void TestMethod() + { + MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); + } +}"); + } + + [Fact] + public void Test_ApplicationDirectory_AssemblyDirectory_Diagnostic() + { + VerifyCSharp(@" +using System; +using System.Runtime.InteropServices; + +[assembly:DefaultDllImportSearchPaths(DllImportSearchPath.ApplicationDirectory)] + +class TestClass +{ + [DllImport(""user32.dll"")] + [DefaultDllImportSearchPaths(DllImportSearchPath.AssemblyDirectory)] + public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); + + public void TestMethod() + { + MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); + } +}", + GetCSharpResultAt(11, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + } + // In this case, [DefaultDllImportSearchPaths] is applied to the assembly. // So, this attribute specifies the paths that are used by default to search for any DLL that provides a function for a platform invoke, in any code in the assembly. [Fact] diff --git a/src/Utilities/Compiler/Options/EditorConfigOptionNames.cs b/src/Utilities/Compiler/Options/EditorConfigOptionNames.cs index 68914cca68..e7457dd3a6 100644 --- a/src/Utilities/Compiler/Options/EditorConfigOptionNames.cs +++ b/src/Utilities/Compiler/Options/EditorConfigOptionNames.cs @@ -67,5 +67,11 @@ internal static partial class EditorConfigOptionNames /// with an optional "T:" prefix. /// public const string ExcludedTypeNamesWithDerivedTypes = "excluded_type_names_with_derived_types"; + + /// + /// Enumeration option to configure unsafe DllImportSearchPath values when using DefaultDllImportSearchPaths attribute. + /// This enumeration allows a bitwise combination of its member values. + /// + public const string UnsafeDllImportSearchPathValues = "unsafe_DllImportSearchPath_values"; } } From f62027508d8e8e508953b9d5279f5dd8c4007aed Mon Sep 17 00:00:00 2001 From: LingxiaChen Date: Thu, 25 Jul 2019 14:47:00 +0800 Subject: [PATCH 12/16] Change title using sentence casing. --- .../Core/MicrosoftNetCoreAnalyzersResources.resx | 2 +- .../Core/xlf/MicrosoftNetCoreAnalyzersResources.cs.xlf | 4 ++-- .../Core/xlf/MicrosoftNetCoreAnalyzersResources.de.xlf | 4 ++-- .../Core/xlf/MicrosoftNetCoreAnalyzersResources.es.xlf | 4 ++-- .../Core/xlf/MicrosoftNetCoreAnalyzersResources.fr.xlf | 4 ++-- .../Core/xlf/MicrosoftNetCoreAnalyzersResources.it.xlf | 4 ++-- .../Core/xlf/MicrosoftNetCoreAnalyzersResources.ja.xlf | 4 ++-- .../Core/xlf/MicrosoftNetCoreAnalyzersResources.ko.xlf | 4 ++-- .../Core/xlf/MicrosoftNetCoreAnalyzersResources.pl.xlf | 4 ++-- .../Core/xlf/MicrosoftNetCoreAnalyzersResources.pt-BR.xlf | 4 ++-- .../Core/xlf/MicrosoftNetCoreAnalyzersResources.ru.xlf | 4 ++-- .../Core/xlf/MicrosoftNetCoreAnalyzersResources.tr.xlf | 4 ++-- .../Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hans.xlf | 4 ++-- .../Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hant.xlf | 4 ++-- 14 files changed, 27 insertions(+), 27 deletions(-) diff --git a/src/Microsoft.NetCore.Analyzers/Core/MicrosoftNetCoreAnalyzersResources.resx b/src/Microsoft.NetCore.Analyzers/Core/MicrosoftNetCoreAnalyzersResources.resx index 3a139ff0ef..f8c14e824f 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/MicrosoftNetCoreAnalyzersResources.resx +++ b/src/Microsoft.NetCore.Analyzers/Core/MicrosoftNetCoreAnalyzersResources.resx @@ -1063,7 +1063,7 @@ Do not create tasks without passing a TaskScheduler - Use DefaultDllImportSearchPaths Attribute For P/Invokes + Use DefaultDllImportSearchPaths attribute for P/Invokes By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.cs.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.cs.xlf index 9c59f61cfc..aeb8418c7f 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.cs.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.cs.xlf @@ -103,8 +103,8 @@ - Use DefaultDllImportSearchPaths Attribute For P/Invokes - Use DefaultDllImportSearchPaths Attribute For P/Invokes + Use DefaultDllImportSearchPaths attribute for P/Invokes + Use DefaultDllImportSearchPaths attribute for P/Invokes diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.de.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.de.xlf index 9cebbf73b5..703b638135 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.de.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.de.xlf @@ -103,8 +103,8 @@ - Use DefaultDllImportSearchPaths Attribute For P/Invokes - Use DefaultDllImportSearchPaths Attribute For P/Invokes + Use DefaultDllImportSearchPaths attribute for P/Invokes + Use DefaultDllImportSearchPaths attribute for P/Invokes diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.es.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.es.xlf index ad198fbe06..0d8ae544fa 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.es.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.es.xlf @@ -103,8 +103,8 @@ - Use DefaultDllImportSearchPaths Attribute For P/Invokes - Use DefaultDllImportSearchPaths Attribute For P/Invokes + Use DefaultDllImportSearchPaths attribute for P/Invokes + Use DefaultDllImportSearchPaths attribute for P/Invokes diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.fr.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.fr.xlf index 9cc06f6c55..2b5e91b436 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.fr.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.fr.xlf @@ -103,8 +103,8 @@ - Use DefaultDllImportSearchPaths Attribute For P/Invokes - Use DefaultDllImportSearchPaths Attribute For P/Invokes + Use DefaultDllImportSearchPaths attribute for P/Invokes + Use DefaultDllImportSearchPaths attribute for P/Invokes diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.it.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.it.xlf index 504e459f7b..19613b3cb0 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.it.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.it.xlf @@ -103,8 +103,8 @@ - Use DefaultDllImportSearchPaths Attribute For P/Invokes - Use DefaultDllImportSearchPaths Attribute For P/Invokes + Use DefaultDllImportSearchPaths attribute for P/Invokes + Use DefaultDllImportSearchPaths attribute for P/Invokes diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ja.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ja.xlf index 00f075a5c5..b3c2a736ef 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ja.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ja.xlf @@ -103,8 +103,8 @@ - Use DefaultDllImportSearchPaths Attribute For P/Invokes - Use DefaultDllImportSearchPaths Attribute For P/Invokes + Use DefaultDllImportSearchPaths attribute for P/Invokes + Use DefaultDllImportSearchPaths attribute for P/Invokes diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ko.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ko.xlf index 3b33791cce..1f6b004c04 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ko.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ko.xlf @@ -103,8 +103,8 @@ - Use DefaultDllImportSearchPaths Attribute For P/Invokes - Use DefaultDllImportSearchPaths Attribute For P/Invokes + Use DefaultDllImportSearchPaths attribute for P/Invokes + Use DefaultDllImportSearchPaths attribute for P/Invokes diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pl.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pl.xlf index c1eae9fca3..2c510f3d65 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pl.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pl.xlf @@ -103,8 +103,8 @@ - Use DefaultDllImportSearchPaths Attribute For P/Invokes - Use DefaultDllImportSearchPaths Attribute For P/Invokes + Use DefaultDllImportSearchPaths attribute for P/Invokes + Use DefaultDllImportSearchPaths attribute for P/Invokes diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pt-BR.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pt-BR.xlf index 3f247ab895..c1dd143ff5 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pt-BR.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pt-BR.xlf @@ -103,8 +103,8 @@ - Use DefaultDllImportSearchPaths Attribute For P/Invokes - Use DefaultDllImportSearchPaths Attribute For P/Invokes + Use DefaultDllImportSearchPaths attribute for P/Invokes + Use DefaultDllImportSearchPaths attribute for P/Invokes diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ru.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ru.xlf index 6bcf557030..96f7547b29 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ru.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ru.xlf @@ -103,8 +103,8 @@ - Use DefaultDllImportSearchPaths Attribute For P/Invokes - Use DefaultDllImportSearchPaths Attribute For P/Invokes + Use DefaultDllImportSearchPaths attribute for P/Invokes + Use DefaultDllImportSearchPaths attribute for P/Invokes diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.tr.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.tr.xlf index 2604d47f5f..f50a04dd5c 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.tr.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.tr.xlf @@ -103,8 +103,8 @@ - Use DefaultDllImportSearchPaths Attribute For P/Invokes - Use DefaultDllImportSearchPaths Attribute For P/Invokes + Use DefaultDllImportSearchPaths attribute for P/Invokes + Use DefaultDllImportSearchPaths attribute for P/Invokes diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hans.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hans.xlf index 317dea9680..00a8178e2b 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hans.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hans.xlf @@ -103,8 +103,8 @@ - Use DefaultDllImportSearchPaths Attribute For P/Invokes - Use DefaultDllImportSearchPaths Attribute For P/Invokes + Use DefaultDllImportSearchPaths attribute for P/Invokes + Use DefaultDllImportSearchPaths attribute for P/Invokes diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hant.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hant.xlf index 98597697a9..ba576aa478 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hant.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hant.xlf @@ -103,8 +103,8 @@ - Use DefaultDllImportSearchPaths Attribute For P/Invokes - Use DefaultDllImportSearchPaths Attribute For P/Invokes + Use DefaultDllImportSearchPaths attribute for P/Invokes + Use DefaultDllImportSearchPaths attribute for P/Invokes From 3704fb1f18eb51bac0b8afc7804739e588ed681e Mon Sep 17 00:00:00 2001 From: LingxiaChen Date: Thu, 1 Aug 2019 15:58:42 +0800 Subject: [PATCH 13/16] Add test cases for EditorConfigOption. --- ...faultDllImportSearchPathsAttributeTests.cs | 49 ++++++++++++++++++- .../Options/EditorConfigOptionNames.cs | 2 +- 2 files changed, 49 insertions(+), 2 deletions(-) diff --git a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs index f59b4ba92b..a5d3a5c426 100644 --- a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs +++ b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs @@ -249,7 +249,7 @@ public void TestMethod() [InlineData("")] [InlineData("dotnet_code_quality.CA5392.unsafe_DllImportSearchPath_bits = 2 | 256")] [InlineData("dotnet_code_quality.CA5392.unsafe_DllImportSearchPath_bits = 258")] - public void EditorConfigConfiguration_UnsafeDllImportSearchPathBits_Diagnostic(string editorConfigText) + public void EditorConfigConfiguration_UnsafeDllImportSearchPathBits_258_Diagnostic(string editorConfigText) { VerifyCSharp(@" using System; @@ -270,6 +270,53 @@ public void TestMethod() GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); } + [Theory] + [InlineData("dotnet_code_quality.CA5392.unsafe_DllImportSearchPath_bits = 1026")] + public void EditorConfigConfiguration_UnsafeDllImportSearchPathBits_BitwiseCombination_Diagnostic(string editorConfigText) + { + VerifyCSharp(@" +using System; +using System.Runtime.InteropServices; + +class TestClass +{ + [DllImport(""user32.dll"")] + [DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] + public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); + + public void TestMethod() + { + MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); + } +}", + GetEditorConfigAdditionalFile(editorConfigText), + GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + } + + [Theory] + [InlineData("dotnet_code_quality.CA5392.unsafe_DllImportSearchPath_bits = 2 | 1024")] + [InlineData("dotnet_code_quality.CA5392.unsafe_DllImportSearchPath_bits = DllImportSearchPath.AssemblyDirectory | DllImportSearchPath.UserDirectories")] + public void EditorConfigConfiguration_UnsafeDllImportSearchPathBits_BitwiseCombination_NoDiagnostic(string editorConfigText) + { + VerifyCSharp(@" +using System; +using System.Runtime.InteropServices; + +class TestClass +{ + [DllImport(""user32.dll"")] + [DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] + public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); + + public void TestMethod() + { + MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); + } +}", + GetEditorConfigAdditionalFile(editorConfigText), + Array.Empty()); + } + [Theory] [InlineData("dotnet_code_quality.CA5392.unsafe_DllImportSearchPath_bits = 2048")] public void EditorConfigConfiguration_UnsafeDllImportSearchPathBits_NoDiagnostic(string editorConfigText) diff --git a/src/Utilities/Compiler/Options/EditorConfigOptionNames.cs b/src/Utilities/Compiler/Options/EditorConfigOptionNames.cs index 014e939b73..55b62fe664 100644 --- a/src/Utilities/Compiler/Options/EditorConfigOptionNames.cs +++ b/src/Utilities/Compiler/Options/EditorConfigOptionNames.cs @@ -70,7 +70,7 @@ internal static partial class EditorConfigOptionNames /// /// Enumeration option to configure unsafe DllImportSearchPath bits when using DefaultDllImportSearchPaths attribute. - /// This enumeration allows a bitwise combination of its member values. + /// Do not use the OR operator to represent the bitwise combination of its member values, use the integeral value directly. /// public const string UnsafeDllImportSearchPathBits = "unsafe_DllImportSearchPath_bits"; } From d71044c78fd0f839eaf7b209f26829212b3ed8e0 Mon Sep 17 00:00:00 2001 From: LingxiaChen Date: Thu, 1 Aug 2019 16:27:31 +0800 Subject: [PATCH 14/16] Mark DllImportSearchPath.ApplicationDirectory as a bad use. --- .../Core/Security/UseDefaultDllImportSearchPathsAttribute.cs | 5 +++-- .../Security/UseDefaultDllImportSearchPathsAttributeTests.cs | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs b/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs index 4c67714722..c543a76401 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs @@ -30,8 +30,9 @@ public sealed class UseDefaultDllImportSearchPathsAttribute : DiagnosticAnalyzer typeof(MicrosoftNetCoreAnalyzersResources)); // DllImportSearchPath.AssemblyDirectory = 2. - // DllImportSearchPath.UseDllDirectoryForDependencies = 256; - private const int UnsafeBits = 2 | 256; + // DllImportSearchPath.UseDllDirectoryForDependencies = 256. + // DllImportSearchPath.ApplicationDirectory = 512. + private const int UnsafeBits = 2 | 256 | 512; private const int LegacyBehavior = 0; internal static DiagnosticDescriptor Rule = new DiagnosticDescriptor( diff --git a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs index a5d3a5c426..e65f909464 100644 --- a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs +++ b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs @@ -201,7 +201,7 @@ public void TestMethod() } [Fact] - public void Test_AssemblyDirectory_ApplicationDirectory_NoDiagnostic() + public void Test_AssemblyDirectory_ApplicationDirectory_Diagnostic() { VerifyCSharp(@" using System; @@ -219,7 +219,8 @@ public void TestMethod() { MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); } -}"); +}", + GetCSharpResultAt(11, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); } [Fact] From b61330e4d6f49935e61b2512c4c7ff4a019aaf2e Mon Sep 17 00:00:00 2001 From: LingxiaChen Date: Fri, 2 Aug 2019 14:58:24 +0800 Subject: [PATCH 15/16] Add another rule for using unsafe DllImportSearchPath value. --- docs/Analyzer Configuration.md | 2 +- .../MicrosoftNetCoreAnalyzersResources.resx | 9 ++ ...UseDefaultDllImportSearchPathsAttribute.cs | 81 +++++++++-------- .../MicrosoftNetCoreAnalyzersResources.cs.xlf | 15 ++++ .../MicrosoftNetCoreAnalyzersResources.de.xlf | 15 ++++ .../MicrosoftNetCoreAnalyzersResources.es.xlf | 15 ++++ .../MicrosoftNetCoreAnalyzersResources.fr.xlf | 15 ++++ .../MicrosoftNetCoreAnalyzersResources.it.xlf | 15 ++++ .../MicrosoftNetCoreAnalyzersResources.ja.xlf | 15 ++++ .../MicrosoftNetCoreAnalyzersResources.ko.xlf | 15 ++++ .../MicrosoftNetCoreAnalyzersResources.pl.xlf | 15 ++++ ...crosoftNetCoreAnalyzersResources.pt-BR.xlf | 15 ++++ .../MicrosoftNetCoreAnalyzersResources.ru.xlf | 15 ++++ .../MicrosoftNetCoreAnalyzersResources.tr.xlf | 15 ++++ ...osoftNetCoreAnalyzersResources.zh-Hans.xlf | 15 ++++ ...osoftNetCoreAnalyzersResources.zh-Hant.xlf | 15 ++++ ...faultDllImportSearchPathsAttributeTests.cs | 88 ++++++++++++++----- 17 files changed, 316 insertions(+), 59 deletions(-) diff --git a/docs/Analyzer Configuration.md b/docs/Analyzer Configuration.md index 6349e9110a..43bdcd5197 100644 --- a/docs/Analyzer Configuration.md +++ b/docs/Analyzer Configuration.md @@ -297,4 +297,4 @@ Option Values: Integer values of System.Runtime.InteropServices.DllImportSearchP Default Value: Specific to each configurable rule ('258', which is AssemblyDirectory | UseDllDirectoryForDependencies, by default for most rules) -Example: `dotnet_code_quality.CA5392.unsafe_DllImportSearchPath_bits = 2 | 256` +Example: `dotnet_code_quality.CA5392.unsafe_DllImportSearchPath_bits = 258` diff --git a/src/Microsoft.NetCore.Analyzers/Core/MicrosoftNetCoreAnalyzersResources.resx b/src/Microsoft.NetCore.Analyzers/Core/MicrosoftNetCoreAnalyzersResources.resx index 3c6ae98d8e..f2b88a83bb 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/MicrosoftNetCoreAnalyzersResources.resx +++ b/src/Microsoft.NetCore.Analyzers/Core/MicrosoftNetCoreAnalyzersResources.resx @@ -1083,4 +1083,13 @@ The method {0} didn't use DefaultDllImportSearchPaths attribute for P/Invokes. + + Do not use unsafe DllImportSearchPath value + + + There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + + + Use unsafe DllImportSearchPath value {0} + \ No newline at end of file diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs b/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs index c543a76401..6bf116a940 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs @@ -1,33 +1,38 @@ // Copyright (c) Microsoft. All Rights Reserved. Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information. -using System; using System.Collections.Immutable; using System.IO; using System.Linq; +using System.Runtime.InteropServices; using Analyzer.Utilities; using Analyzer.Utilities.Extensions; using Microsoft.CodeAnalysis; using Microsoft.CodeAnalysis.Diagnostics; using Microsoft.CodeAnalysis.FlowAnalysis.DataFlow; +using Microsoft.NetCore.Analyzers.Security.Helpers; namespace Microsoft.NetCore.Analyzers.Security { [DiagnosticAnalyzer(LanguageNames.CSharp, LanguageNames.VisualBasic)] public sealed class UseDefaultDllImportSearchPathsAttribute : DiagnosticAnalyzer { - internal const string DiagnosticId = "CA5392"; - private static readonly LocalizableString s_Title = new LocalizableResourceString( + internal static DiagnosticDescriptor UseDefaultDllImportSearchPathsAttributeRule = SecurityHelpers.CreateDiagnosticDescriptor( + "CA5392", + typeof(MicrosoftNetCoreAnalyzersResources), nameof(MicrosoftNetCoreAnalyzersResources.UseDefaultDllImportSearchPathsAttribute), - MicrosoftNetCoreAnalyzersResources.ResourceManager, - typeof(MicrosoftNetCoreAnalyzersResources)); - private static readonly LocalizableString s_Message = new LocalizableResourceString( nameof(MicrosoftNetCoreAnalyzersResources.UseDefaultDllImportSearchPathsAttributeMessage), - MicrosoftNetCoreAnalyzersResources.ResourceManager, - typeof(MicrosoftNetCoreAnalyzersResources)); - private static readonly LocalizableString s_Description = new LocalizableResourceString( - nameof(MicrosoftNetCoreAnalyzersResources.UseDefaultDllImportSearchPathsAttributeDescription), - MicrosoftNetCoreAnalyzersResources.ResourceManager, - typeof(MicrosoftNetCoreAnalyzersResources)); + DiagnosticHelpers.EnabledByDefaultIfNotBuildingVSIX, + helpLinkUri: null, + descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.UseDefaultDllImportSearchPathsAttributeDescription), + customTags: WellKnownDiagnosticTags.Telemetry); + internal static DiagnosticDescriptor DoNotUseUnsafeDllImportSearchPathRule = SecurityHelpers.CreateDiagnosticDescriptor( + "CA5393", + nameof(MicrosoftNetCoreAnalyzersResources.DoNotUseUnsafeDllImportSearchPath), + nameof(MicrosoftNetCoreAnalyzersResources.DoNotUseUnsafeDllImportSearchPathMessage), + DiagnosticHelpers.EnabledByDefaultIfNotBuildingVSIX, + helpLinkUri: null, + descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.DoNotUseUnsafeDllImportSearchPathDescription), + customTags: WellKnownDiagnosticTagsExtensions.DataflowAndTelemetry); // DllImportSearchPath.AssemblyDirectory = 2. // DllImportSearchPath.UseDllDirectoryForDependencies = 256. @@ -35,18 +40,9 @@ public sealed class UseDefaultDllImportSearchPathsAttribute : DiagnosticAnalyzer private const int UnsafeBits = 2 | 256 | 512; private const int LegacyBehavior = 0; - internal static DiagnosticDescriptor Rule = new DiagnosticDescriptor( - DiagnosticId, - s_Title, - s_Message, - DiagnosticCategory.Security, - DiagnosticHelpers.DefaultDiagnosticSeverity, - isEnabledByDefault: DiagnosticHelpers.EnabledByDefaultIfNotBuildingVSIX, - description: s_Description, - helpLinkUri: null, - customTags: WellKnownDiagnosticTags.Telemetry); - - public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create(Rule); + public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create( + UseDefaultDllImportSearchPathsAttributeRule, + DoNotUseUnsafeDllImportSearchPathRule); public override void Initialize(AnalysisContext context) { @@ -69,11 +65,10 @@ public override void Initialize(AnalysisContext context) var cancellationToken = compilationStartAnalysisContext.CancellationToken; var unsafeDllImportSearchPathBits = compilationStartAnalysisContext.Options.GetUnsignedIntegralOptionValue( optionName: EditorConfigOptionNames.UnsafeDllImportSearchPathBits, - rule: Rule, + rule: DoNotUseUnsafeDllImportSearchPathRule, defaultValue: UnsafeBits, cancellationToken: cancellationToken); var defaultDllImportSearchPathsAttributeOnAssembly = compilation.Assembly.GetAttributes().FirstOrDefault(o => o.AttributeClass.Equals(defaultDllImportSearchPathsAttributeTypeSymbol)); - var dllImportSearchPathOnAssembly = defaultDllImportSearchPathsAttributeOnAssembly == null ? -1 : (int)defaultDllImportSearchPathsAttributeOnAssembly.ConstructorArguments.FirstOrDefault().Value; compilationStartAnalysisContext.RegisterSymbolAction(symbolAnalysisContext => { @@ -86,7 +81,6 @@ public override void Initialize(AnalysisContext context) var dllImportAttribute = symbol.GetAttributes().FirstOrDefault(s => s.AttributeClass.Equals(dllImportAttributeTypeSymbol)); var defaultDllImportSearchPathsAttribute = symbol.GetAttributes().FirstOrDefault(s => s.AttributeClass.Equals(defaultDllImportSearchPathsAttributeTypeSymbol)); - var dllImportSearchPath = defaultDllImportSearchPathsAttribute == null ? -1 : (int)defaultDllImportSearchPathsAttribute.ConstructorArguments.FirstOrDefault().Value; if (dllImportAttribute != null) { @@ -102,28 +96,45 @@ public override void Initialize(AnalysisContext context) return; } - if (dllImportSearchPath == -1) + var rule = UseDefaultDllImportSearchPathsAttributeRule; + var ruleArgument = symbol.Name; + + if (defaultDllImportSearchPathsAttribute == null) { - if (dllImportSearchPathOnAssembly != -1 && - dllImportSearchPathOnAssembly != LegacyBehavior && - (dllImportSearchPathOnAssembly & unsafeDllImportSearchPathBits) == 0) + if (defaultDllImportSearchPathsAttributeOnAssembly != null) { - return; + var dllImportSearchPathOnAssembly = (int)defaultDllImportSearchPathsAttributeOnAssembly.ConstructorArguments.FirstOrDefault().Value; + var validBits = dllImportSearchPathOnAssembly & unsafeDllImportSearchPathBits; + + if (dllImportSearchPathOnAssembly != LegacyBehavior && + validBits == 0) + { + return; + } + + rule = DoNotUseUnsafeDllImportSearchPathRule; + ruleArgument = ((DllImportSearchPath)validBits).ToString(); } } else { + var dllImportSearchPath = (int)defaultDllImportSearchPathsAttribute.ConstructorArguments.FirstOrDefault().Value; + var validBits = dllImportSearchPath & unsafeDllImportSearchPathBits; + if (dllImportSearchPath != LegacyBehavior && - (dllImportSearchPath & unsafeDllImportSearchPathBits) == 0) + validBits == 0) { return; } + + rule = DoNotUseUnsafeDllImportSearchPathRule; + ruleArgument = ((DllImportSearchPath)validBits).ToString(); } symbolAnalysisContext.ReportDiagnostic( symbol.CreateDiagnostic( - Rule, - symbol.Name)); + rule, + ruleArgument)); } }, SymbolKind.Method); }); diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.cs.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.cs.xlf index ee2a594373..cd5eae1db7 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.cs.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.cs.xlf @@ -2,6 +2,21 @@ + + Do not use unsafe DllImportSearchPath value + Do not use unsafe DllImportSearchPath value + + + + There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + + + + Use unsafe DllImportSearchPath value {0} + Use unsafe DllImportSearchPath value {0} + + When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.de.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.de.xlf index 65e17486b2..c5268692fe 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.de.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.de.xlf @@ -2,6 +2,21 @@ + + Do not use unsafe DllImportSearchPath value + Do not use unsafe DllImportSearchPath value + + + + There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + + + + Use unsafe DllImportSearchPath value {0} + Use unsafe DllImportSearchPath value {0} + + When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.es.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.es.xlf index 1ec3db6d8a..6f294eeb58 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.es.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.es.xlf @@ -2,6 +2,21 @@ + + Do not use unsafe DllImportSearchPath value + Do not use unsafe DllImportSearchPath value + + + + There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + + + + Use unsafe DllImportSearchPath value {0} + Use unsafe DllImportSearchPath value {0} + + When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.fr.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.fr.xlf index 1c2b0983e7..583036b719 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.fr.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.fr.xlf @@ -2,6 +2,21 @@ + + Do not use unsafe DllImportSearchPath value + Do not use unsafe DllImportSearchPath value + + + + There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + + + + Use unsafe DllImportSearchPath value {0} + Use unsafe DllImportSearchPath value {0} + + When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.it.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.it.xlf index f5ed924266..bcbe3631cb 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.it.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.it.xlf @@ -2,6 +2,21 @@ + + Do not use unsafe DllImportSearchPath value + Do not use unsafe DllImportSearchPath value + + + + There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + + + + Use unsafe DllImportSearchPath value {0} + Use unsafe DllImportSearchPath value {0} + + When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ja.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ja.xlf index c2ae14603d..b857702df7 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ja.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ja.xlf @@ -2,6 +2,21 @@ + + Do not use unsafe DllImportSearchPath value + Do not use unsafe DllImportSearchPath value + + + + There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + + + + Use unsafe DllImportSearchPath value {0} + Use unsafe DllImportSearchPath value {0} + + When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ko.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ko.xlf index c0913e8df6..0756b33586 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ko.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ko.xlf @@ -2,6 +2,21 @@ + + Do not use unsafe DllImportSearchPath value + Do not use unsafe DllImportSearchPath value + + + + There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + + + + Use unsafe DllImportSearchPath value {0} + Use unsafe DllImportSearchPath value {0} + + When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pl.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pl.xlf index 1c50093d27..2d42e4dfee 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pl.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pl.xlf @@ -2,6 +2,21 @@ + + Do not use unsafe DllImportSearchPath value + Do not use unsafe DllImportSearchPath value + + + + There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + + + + Use unsafe DllImportSearchPath value {0} + Use unsafe DllImportSearchPath value {0} + + When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pt-BR.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pt-BR.xlf index fb342abede..8fcf1e55d4 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pt-BR.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pt-BR.xlf @@ -2,6 +2,21 @@ + + Do not use unsafe DllImportSearchPath value + Do not use unsafe DllImportSearchPath value + + + + There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + + + + Use unsafe DllImportSearchPath value {0} + Use unsafe DllImportSearchPath value {0} + + When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ru.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ru.xlf index 4648aca453..0cbed4f1d3 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ru.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ru.xlf @@ -2,6 +2,21 @@ + + Do not use unsafe DllImportSearchPath value + Do not use unsafe DllImportSearchPath value + + + + There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + + + + Use unsafe DllImportSearchPath value {0} + Use unsafe DllImportSearchPath value {0} + + When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.tr.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.tr.xlf index 0e3de2e818..3d02afe25a 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.tr.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.tr.xlf @@ -2,6 +2,21 @@ + + Do not use unsafe DllImportSearchPath value + Do not use unsafe DllImportSearchPath value + + + + There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + + + + Use unsafe DllImportSearchPath value {0} + Use unsafe DllImportSearchPath value {0} + + When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hans.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hans.xlf index d8a18a4a03..6489d3b878 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hans.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hans.xlf @@ -2,6 +2,21 @@ + + Do not use unsafe DllImportSearchPath value + Do not use unsafe DllImportSearchPath value + + + + There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + + + + Use unsafe DllImportSearchPath value {0} + Use unsafe DllImportSearchPath value {0} + + When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hant.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hant.xlf index 8681e5c32a..b9299765ba 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hant.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hant.xlf @@ -2,6 +2,21 @@ + + Do not use unsafe DllImportSearchPath value + Do not use unsafe DllImportSearchPath value + + + + There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + + + + Use unsafe DllImportSearchPath value {0} + Use unsafe DllImportSearchPath value {0} + + When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. diff --git a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs index e65f909464..c7c3eedf57 100644 --- a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs +++ b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs @@ -33,7 +33,7 @@ public void TestMethod() MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); } }", - GetCSharpResultAt(8, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + GetCSharpResultAt(8, 30, UseDefaultDllImportSearchPathsAttribute.UseDefaultDllImportSearchPathsAttributeRule, "MessageBox")); } [Fact] @@ -53,7 +53,7 @@ public void TestMethod() MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); } }", - GetCSharpResultAt(8, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + GetCSharpResultAt(8, 30, UseDefaultDllImportSearchPathsAttribute.UseDefaultDllImportSearchPathsAttributeRule, "MessageBox")); } [Fact] @@ -73,11 +73,11 @@ public void TestMethod() MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); } }", - GetCSharpResultAt(8, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + GetCSharpResultAt(8, 30, UseDefaultDllImportSearchPathsAttribute.UseDefaultDllImportSearchPathsAttributeRule, "MessageBox")); } [Fact] - public void Test_NoAttribute_NoDiagnostic() + public void Test_DllImportSearchPathAssemblyDirectory_Diagnostic() { VerifyCSharp(@" using System; @@ -85,18 +85,20 @@ public void Test_NoAttribute_NoDiagnostic() class TestClass { + [DllImport(""user32.dll"")] + [DefaultDllImportSearchPaths(DllImportSearchPath.AssemblyDirectory)] public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); public void TestMethod() { MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); } -}"); +}", + GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.DoNotUseUnsafeDllImportSearchPathRule, "AssemblyDirectory")); } - // user32.dll will be searched in UserDirectories, which is specified by DllImportSearchPath and is good. [Fact] - public void Test_DllImportAndDefaultDllImportSearchPathsAttributes_NoDiagnostic() + public void Test_UnsafeDllImportSearchPathBits_BitwiseCombination_OneValueIsBad_Diagnostic() { VerifyCSharp(@" using System; @@ -105,18 +107,19 @@ public void Test_DllImportAndDefaultDllImportSearchPathsAttributes_NoDiagnostic( class TestClass { [DllImport(""user32.dll"")] - [DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] + [DefaultDllImportSearchPaths(DllImportSearchPath.AssemblyDirectory | DllImportSearchPath.UserDirectories)] public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); public void TestMethod() { MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); } -}"); +}", + GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.DoNotUseUnsafeDllImportSearchPathRule, "AssemblyDirectory")); } [Fact] - public void Test_DllImportSearchPathAssemblyDirectory_Diagnostic() + public void Test_UnsafeDllImportSearchPathBits_BitwiseCombination_BothIsBad_Diagnostic() { VerifyCSharp(@" using System; @@ -125,7 +128,7 @@ public void Test_DllImportSearchPathAssemblyDirectory_Diagnostic() class TestClass { [DllImport(""user32.dll"")] - [DefaultDllImportSearchPaths(DllImportSearchPath.AssemblyDirectory)] + [DefaultDllImportSearchPaths(DllImportSearchPath.AssemblyDirectory | DllImportSearchPath.ApplicationDirectory)] public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); public void TestMethod() @@ -133,7 +136,7 @@ public void TestMethod() MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); } }", - GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.DoNotUseUnsafeDllImportSearchPathRule, "AssemblyDirectory, ApplicationDirectory")); } [Fact] @@ -154,7 +157,7 @@ public void TestMethod() MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); } }", - GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.DoNotUseUnsafeDllImportSearchPathRule, "LegacyBehavior")); } [Fact] @@ -175,7 +178,7 @@ public void TestMethod() MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); } }", - GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.DoNotUseUnsafeDllImportSearchPathRule, "UseDllDirectoryForDependencies")); } [Fact] @@ -197,7 +200,7 @@ public void TestMethod() MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); } }", - GetCSharpResultAt(10, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + GetCSharpResultAt(10, 30, UseDefaultDllImportSearchPathsAttribute.DoNotUseUnsafeDllImportSearchPathRule, "AssemblyDirectory")); } [Fact] @@ -220,7 +223,7 @@ public void TestMethod() MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); } }", - GetCSharpResultAt(11, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + GetCSharpResultAt(11, 30, UseDefaultDllImportSearchPathsAttribute.DoNotUseUnsafeDllImportSearchPathRule, "ApplicationDirectory")); } [Fact] @@ -243,13 +246,13 @@ public void TestMethod() MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); } }", - GetCSharpResultAt(11, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + GetCSharpResultAt(11, 30, UseDefaultDllImportSearchPathsAttribute.DoNotUseUnsafeDllImportSearchPathRule, "AssemblyDirectory")); } [Theory] [InlineData("")] - [InlineData("dotnet_code_quality.CA5392.unsafe_DllImportSearchPath_bits = 2 | 256")] - [InlineData("dotnet_code_quality.CA5392.unsafe_DllImportSearchPath_bits = 258")] + [InlineData("dotnet_code_quality.CA5393.unsafe_DllImportSearchPath_bits = 2 | 256 | 512")] + [InlineData("dotnet_code_quality.CA5393.unsafe_DllImportSearchPath_bits = 770")] public void EditorConfigConfiguration_UnsafeDllImportSearchPathBits_258_Diagnostic(string editorConfigText) { VerifyCSharp(@" @@ -268,11 +271,11 @@ public void TestMethod() } }", GetEditorConfigAdditionalFile(editorConfigText), - GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.DoNotUseUnsafeDllImportSearchPathRule, "AssemblyDirectory, ApplicationDirectory")); } [Theory] - [InlineData("dotnet_code_quality.CA5392.unsafe_DllImportSearchPath_bits = 1026")] + [InlineData("dotnet_code_quality.CA5393.unsafe_DllImportSearchPath_bits = 1026")] public void EditorConfigConfiguration_UnsafeDllImportSearchPathBits_BitwiseCombination_Diagnostic(string editorConfigText) { VerifyCSharp(@" @@ -291,7 +294,46 @@ public void TestMethod() } }", GetEditorConfigAdditionalFile(editorConfigText), - GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.Rule, "MessageBox")); + GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.DoNotUseUnsafeDllImportSearchPathRule, "UserDirectories")); + } + + [Fact] + public void Test_NoAttribute_NoDiagnostic() + { + VerifyCSharp(@" +using System; +using System.Runtime.InteropServices; + +class TestClass +{ + public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); + + public void TestMethod() + { + MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); + } +}"); + } + + // user32.dll will be searched in UserDirectories, which is specified by DllImportSearchPath and is good. + [Fact] + public void Test_DllImportAndDefaultDllImportSearchPathsAttributes_NoDiagnostic() + { + VerifyCSharp(@" +using System; +using System.Runtime.InteropServices; + +class TestClass +{ + [DllImport(""user32.dll"")] + [DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)] + public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); + + public void TestMethod() + { + MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); + } +}"); } [Theory] @@ -319,7 +361,7 @@ public void TestMethod() } [Theory] - [InlineData("dotnet_code_quality.CA5392.unsafe_DllImportSearchPath_bits = 2048")] + [InlineData("dotnet_code_quality.CA5393.unsafe_DllImportSearchPath_bits = 2048")] public void EditorConfigConfiguration_UnsafeDllImportSearchPathBits_NoDiagnostic(string editorConfigText) { VerifyCSharp(@" From 6d53be4e07bfe91d54769fb8c38d8074e7bf9ade Mon Sep 17 00:00:00 2001 From: LingxiaChen Date: Mon, 5 Aug 2019 16:55:46 +0800 Subject: [PATCH 16/16] Address review feedback. --- docs/Analyzer Configuration.md | 4 +-- .../MicrosoftNetCoreAnalyzersResources.resx | 4 +-- ...UseDefaultDllImportSearchPathsAttribute.cs | 24 +++-------------- .../MicrosoftNetCoreAnalyzersResources.cs.xlf | 8 +++--- .../MicrosoftNetCoreAnalyzersResources.de.xlf | 8 +++--- .../MicrosoftNetCoreAnalyzersResources.es.xlf | 8 +++--- .../MicrosoftNetCoreAnalyzersResources.fr.xlf | 8 +++--- .../MicrosoftNetCoreAnalyzersResources.it.xlf | 8 +++--- .../MicrosoftNetCoreAnalyzersResources.ja.xlf | 8 +++--- .../MicrosoftNetCoreAnalyzersResources.ko.xlf | 8 +++--- .../MicrosoftNetCoreAnalyzersResources.pl.xlf | 8 +++--- ...crosoftNetCoreAnalyzersResources.pt-BR.xlf | 8 +++--- .../MicrosoftNetCoreAnalyzersResources.ru.xlf | 8 +++--- .../MicrosoftNetCoreAnalyzersResources.tr.xlf | 8 +++--- ...osoftNetCoreAnalyzersResources.zh-Hans.xlf | 8 +++--- ...osoftNetCoreAnalyzersResources.zh-Hant.xlf | 8 +++--- ...faultDllImportSearchPathsAttributeTests.cs | 27 +++++++++++++++++-- 17 files changed, 85 insertions(+), 78 deletions(-) diff --git a/docs/Analyzer Configuration.md b/docs/Analyzer Configuration.md index 43bdcd5197..1f787afad2 100644 --- a/docs/Analyzer Configuration.md +++ b/docs/Analyzer Configuration.md @@ -295,6 +295,6 @@ Option Name: `unsafe_DllImportSearchPath_bits` Option Values: Integer values of System.Runtime.InteropServices.DllImportSearchPath -Default Value: Specific to each configurable rule ('258', which is AssemblyDirectory | UseDllDirectoryForDependencies, by default for most rules) +Default Value: Specific to each configurable rule ('770', which is AssemblyDirectory | UseDllDirectoryForDependencies | ApplicationDirectory, by default for most rules) -Example: `dotnet_code_quality.CA5392.unsafe_DllImportSearchPath_bits = 258` +Example: `dotnet_code_quality.CA5392.unsafe_DllImportSearchPath_bits = 770` diff --git a/src/Microsoft.NetCore.Analyzers/Core/MicrosoftNetCoreAnalyzersResources.resx b/src/Microsoft.NetCore.Analyzers/Core/MicrosoftNetCoreAnalyzersResources.resx index f2b88a83bb..ec27e90fed 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/MicrosoftNetCoreAnalyzersResources.resx +++ b/src/Microsoft.NetCore.Analyzers/Core/MicrosoftNetCoreAnalyzersResources.resx @@ -1087,9 +1087,9 @@ Do not use unsafe DllImportSearchPath value - There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. - Use unsafe DllImportSearchPath value {0} + Use of unsafe DllImportSearchPath value {0} \ No newline at end of file diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs b/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs index 6bf116a940..82af9e3d18 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/UseDefaultDllImportSearchPathsAttribute.cs @@ -32,7 +32,7 @@ public sealed class UseDefaultDllImportSearchPathsAttribute : DiagnosticAnalyzer DiagnosticHelpers.EnabledByDefaultIfNotBuildingVSIX, helpLinkUri: null, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.DoNotUseUnsafeDllImportSearchPathDescription), - customTags: WellKnownDiagnosticTagsExtensions.DataflowAndTelemetry); + customTags: WellKnownDiagnosticTags.Telemetry); // DllImportSearchPath.AssemblyDirectory = 2. // DllImportSearchPath.UseDllDirectoryForDependencies = 256. @@ -98,27 +98,11 @@ public override void Initialize(AnalysisContext context) var rule = UseDefaultDllImportSearchPathsAttributeRule; var ruleArgument = symbol.Name; + var validatedDefaultDllImportSearchPathsAttribute = defaultDllImportSearchPathsAttribute ?? defaultDllImportSearchPathsAttributeOnAssembly; - if (defaultDllImportSearchPathsAttribute == null) - { - if (defaultDllImportSearchPathsAttributeOnAssembly != null) - { - var dllImportSearchPathOnAssembly = (int)defaultDllImportSearchPathsAttributeOnAssembly.ConstructorArguments.FirstOrDefault().Value; - var validBits = dllImportSearchPathOnAssembly & unsafeDllImportSearchPathBits; - - if (dllImportSearchPathOnAssembly != LegacyBehavior && - validBits == 0) - { - return; - } - - rule = DoNotUseUnsafeDllImportSearchPathRule; - ruleArgument = ((DllImportSearchPath)validBits).ToString(); - } - } - else + if (validatedDefaultDllImportSearchPathsAttribute != null) { - var dllImportSearchPath = (int)defaultDllImportSearchPathsAttribute.ConstructorArguments.FirstOrDefault().Value; + var dllImportSearchPath = (int)validatedDefaultDllImportSearchPathsAttribute.ConstructorArguments.FirstOrDefault().Value; var validBits = dllImportSearchPath & unsafeDllImportSearchPathBits; if (dllImportSearchPath != LegacyBehavior && diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.cs.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.cs.xlf index cd5eae1db7..3d595064ec 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.cs.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.cs.xlf @@ -8,13 +8,13 @@ - There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead - There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. + There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. - Use unsafe DllImportSearchPath value {0} - Use unsafe DllImportSearchPath value {0} + Use of unsafe DllImportSearchPath value {0} + Use of unsafe DllImportSearchPath value {0} diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.de.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.de.xlf index c5268692fe..a60574b38d 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.de.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.de.xlf @@ -8,13 +8,13 @@ - There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead - There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. + There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. - Use unsafe DllImportSearchPath value {0} - Use unsafe DllImportSearchPath value {0} + Use of unsafe DllImportSearchPath value {0} + Use of unsafe DllImportSearchPath value {0} diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.es.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.es.xlf index 6f294eeb58..dab6193bac 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.es.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.es.xlf @@ -8,13 +8,13 @@ - There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead - There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. + There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. - Use unsafe DllImportSearchPath value {0} - Use unsafe DllImportSearchPath value {0} + Use of unsafe DllImportSearchPath value {0} + Use of unsafe DllImportSearchPath value {0} diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.fr.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.fr.xlf index 583036b719..8687768a1b 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.fr.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.fr.xlf @@ -8,13 +8,13 @@ - There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead - There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. + There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. - Use unsafe DllImportSearchPath value {0} - Use unsafe DllImportSearchPath value {0} + Use of unsafe DllImportSearchPath value {0} + Use of unsafe DllImportSearchPath value {0} diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.it.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.it.xlf index bcbe3631cb..36aa52d99b 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.it.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.it.xlf @@ -8,13 +8,13 @@ - There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead - There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. + There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. - Use unsafe DllImportSearchPath value {0} - Use unsafe DllImportSearchPath value {0} + Use of unsafe DllImportSearchPath value {0} + Use of unsafe DllImportSearchPath value {0} diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ja.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ja.xlf index b857702df7..35199bb824 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ja.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ja.xlf @@ -8,13 +8,13 @@ - There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead - There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. + There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. - Use unsafe DllImportSearchPath value {0} - Use unsafe DllImportSearchPath value {0} + Use of unsafe DllImportSearchPath value {0} + Use of unsafe DllImportSearchPath value {0} diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ko.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ko.xlf index 0756b33586..329c5c6e62 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ko.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ko.xlf @@ -8,13 +8,13 @@ - There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead - There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. + There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. - Use unsafe DllImportSearchPath value {0} - Use unsafe DllImportSearchPath value {0} + Use of unsafe DllImportSearchPath value {0} + Use of unsafe DllImportSearchPath value {0} diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pl.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pl.xlf index 2d42e4dfee..a047ced667 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pl.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pl.xlf @@ -8,13 +8,13 @@ - There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead - There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. + There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. - Use unsafe DllImportSearchPath value {0} - Use unsafe DllImportSearchPath value {0} + Use of unsafe DllImportSearchPath value {0} + Use of unsafe DllImportSearchPath value {0} diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pt-BR.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pt-BR.xlf index 8fcf1e55d4..b1823973c9 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pt-BR.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pt-BR.xlf @@ -8,13 +8,13 @@ - There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead - There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. + There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. - Use unsafe DllImportSearchPath value {0} - Use unsafe DllImportSearchPath value {0} + Use of unsafe DllImportSearchPath value {0} + Use of unsafe DllImportSearchPath value {0} diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ru.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ru.xlf index 0cbed4f1d3..9b7e072cb5 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ru.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ru.xlf @@ -8,13 +8,13 @@ - There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead - There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. + There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. - Use unsafe DllImportSearchPath value {0} - Use unsafe DllImportSearchPath value {0} + Use of unsafe DllImportSearchPath value {0} + Use of unsafe DllImportSearchPath value {0} diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.tr.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.tr.xlf index 3d02afe25a..8024ee8e10 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.tr.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.tr.xlf @@ -8,13 +8,13 @@ - There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead - There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. + There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. - Use unsafe DllImportSearchPath value {0} - Use unsafe DllImportSearchPath value {0} + Use of unsafe DllImportSearchPath value {0} + Use of unsafe DllImportSearchPath value {0} diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hans.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hans.xlf index 6489d3b878..3028e2dcaa 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hans.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hans.xlf @@ -8,13 +8,13 @@ - There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead - There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. + There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. - Use unsafe DllImportSearchPath value {0} - Use unsafe DllImportSearchPath value {0} + Use of unsafe DllImportSearchPath value {0} + Use of unsafe DllImportSearchPath value {0} diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hant.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hant.xlf index b9299765ba..777767833d 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hant.xlf +++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hant.xlf @@ -8,13 +8,13 @@ - There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead - There could be malicious DLL under the application directory or the default DLL search directories. Use an DllImportSearchPath value that sepecifies explicit search path instead + There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. + There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. - Use unsafe DllImportSearchPath value {0} - Use unsafe DllImportSearchPath value {0} + Use of unsafe DllImportSearchPath value {0} + Use of unsafe DllImportSearchPath value {0} diff --git a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs index c7c3eedf57..b9602443ee 100644 --- a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs +++ b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/UseDefaultDllImportSearchPathsAttributeTests.cs @@ -253,7 +253,7 @@ public void TestMethod() [InlineData("")] [InlineData("dotnet_code_quality.CA5393.unsafe_DllImportSearchPath_bits = 2 | 256 | 512")] [InlineData("dotnet_code_quality.CA5393.unsafe_DllImportSearchPath_bits = 770")] - public void EditorConfigConfiguration_UnsafeDllImportSearchPathBits_258_Diagnostic(string editorConfigText) + public void EditorConfigConfiguration_UnsafeDllImportSearchPathBits_DefaultValue_Diagnostic(string editorConfigText) { VerifyCSharp(@" using System; @@ -274,6 +274,29 @@ public void TestMethod() GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.DoNotUseUnsafeDllImportSearchPathRule, "AssemblyDirectory, ApplicationDirectory")); } + [Theory] + [InlineData("dotnet_code_quality.CA5393.unsafe_DllImportSearchPath_bits = 2048")] + public void EditorConfigConfiguration_UnsafeDllImportSearchPathBits_NonDefaultValue_Diagnostic(string editorConfigText) + { + VerifyCSharp(@" +using System; +using System.Runtime.InteropServices; + +class TestClass +{ + [DllImport(""user32.dll"")] + [DefaultDllImportSearchPaths(DllImportSearchPath.System32)] + public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type); + + public void TestMethod() + { + MessageBox(new IntPtr(0), ""Hello World!"", ""Hello Dialog"", 0); + } +}", + GetEditorConfigAdditionalFile(editorConfigText), + GetCSharpResultAt(9, 30, UseDefaultDllImportSearchPathsAttribute.DoNotUseUnsafeDllImportSearchPathRule, "System32")); + } + [Theory] [InlineData("dotnet_code_quality.CA5393.unsafe_DllImportSearchPath_bits = 1026")] public void EditorConfigConfiguration_UnsafeDllImportSearchPathBits_BitwiseCombination_Diagnostic(string editorConfigText) @@ -362,7 +385,7 @@ public void TestMethod() [Theory] [InlineData("dotnet_code_quality.CA5393.unsafe_DllImportSearchPath_bits = 2048")] - public void EditorConfigConfiguration_UnsafeDllImportSearchPathBits_NoDiagnostic(string editorConfigText) + public void EditorConfigConfiguration_UnsafeDllImportSearchPathBits_NonDefaultValue_NoDiagnostic(string editorConfigText) { VerifyCSharp(@" using System;