.Net access restriction subverted (Reflection)
ID |
csharp.accessibility_subversion |
Severity |
low |
Resource |
Access Control |
Language |
CSharp |
Tags |
CWE:284, NIST.SP.800-53, OWASP:2021:A1, PCI-DSS:6.5.8, reflection |
Description
The .Net framework enforces access limitations on code in a specific class, restricting its ability to access fields, methods, and other features.
This is about making objects of different classes. It uses the access level specifiers with public, protected, private or internal keywords in source code.
Using reflection, .Net lets a programmer get around the access control checks provided by these specifiers. For example, a programmer can access a private field using the method GetFields(BindingFlags.NonPublic).
Rationale
The detector emits a vulnerability when the access restriction is subverted using reflection with the BindingFlags.NonPublic flag.
System.Type t = typeof (Test);
// VULNERABLE - access restriction subverted using reflection
var fields = t.GetFields (
BindingFlags.Public | BindingFlags.NonPublic | BindingFlags.Instance | BindingFlags.Static
);Remediation
Do not subvert access restrictions established by the developer. If you really need to access private fields or to invoke private methods, you may use the [UnsafeAccessor] attribute, available since .Net 8.
References
-
CWE-284 : Improper Access Control.
-
OWASP Top 10 2021 - A01 : Broken Access Control.