Rule Wars
All rules
CA3011Security Enabled by default: No

Review code for DLL injection vulnerabilities

Review code for DLL injection vulnerabilities

Microsoft docs

Description

When working with untrusted input, be mindful of loading untrusted code. If your web application loads untrusted code, an attacker may be able to inject malicious DLLs into your process and execute malicious code.

This rule attempts to find input from an HTTP request that reaches a method that loads an assembly. This rule can't track data across assemblies. For example, if one assembly reads the HTTP request input and then passes it to another assembly that loads an assembly, this rule won't produce a warning. There is a configurable limit to how deep this rule will analyze data flow across method calls. See Analyzer Configuration for how to configure the limit in an EditorConfig file.

Cause

Potentially untrusted HTTP request input reaches a method that loads an assembly.

By default, this rule analyzes the entire codebase, but this is configurable.

How to fix violations

Don't load untrusted DLLs from user input.

Example

using System;
using System.Reflection;

public partial class WebForm : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        string input = Request.Form["in"];
        byte[] rawAssembly = Convert.FromBase64String(input);
        Assembly.Load(rawAssembly);
    }
}

When to suppress

Don't suppress warnings from this rule.

Your vote
Join a group to vote
Group results
0 yes 0 no
ConsensusNone (disabled)
Severity preference (yes voters)
Suggestion0
Warning0
Error0