CA5375: Do not use account shared access signature
| Property | Value |
|---|---|
| Rule ID | CA5375 |
| Title | Do not use account shared access signature |
| Category | Security |
| Fix is breaking or non-breaking | Non-breaking |
| Enabled by default in .NET 8 | No |
Cause
Generating an account Shared Access Signature (SAS) with the GetSharedAccessSignature method under the Microsoft.WindowsAzure.Storage namespace.
Rule description
An account SAS can delegate access to read, write, and delete operations on blob containers, tables, queues, and file shares that are not permitted with a service SAS. However, it doesn't support container-level policies and has less flexibility and control over the permissions that are granted. If possible, use a service SAS for fine grained access control. For more information, see Delegate access with a shared access signature.
How to fix violations
Use a service SAS instead of an account SAS for fine grained access control and container-level access policy.
When to suppress warnings
It is safe to suppress this rule if you're sure that the permissions of all resources are as restricted as possible.
Suppress a warning
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA5375
// The code that's violating the rule is on this line.
#pragma warning restore CA5375
To disable the rule for a file, folder, or project, set its severity to none in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA5375.severity = none
For more information, see How to suppress code analysis warnings.
Pseudo-code examples
Violation
At present, the following pseudo-code sample illustrates the pattern detected by this rule.
using System;
using Microsoft.WindowsAzure.Storage;
class ExampleClass
{
public void ExampleMethod(SharedAccessAccountPolicy policy)
{
CloudStorageAccount cloudStorageAccount = new CloudStorageAccount();
cloudStorageAccount.GetSharedAccessSignature(policy);
}
}
Solution
Instead of account SAS, use service SAS.
using System;
using Microsoft.WindowsAzure.Storage;
using Microsoft.WindowsAzure.Storage.File;
class ExampleClass
{
public void ExampleMethod(StorageCredentials storageCredentials, SharedAccessFilePolicy policy, SharedAccessFileHeaders headers, string groupPolicyIdentifier, IPAddressOrRange ipAddressOrRange)
{
CloudFile cloudFile = new CloudFile(storageCredentials);
SharedAccessProtocol protocols = SharedAccessProtocol.HttpsOnly;
cloudFile.GetSharedAccessSignature(policy, headers, groupPolicyIdentifier, protocols, ipAddressOrRange);
}
}
