CA2144: Transparent code should not load assemblies from byte arrays
Note
This article applies to Visual Studio 2015. If you're looking for the latest Visual Studio documentation, see Visual Studio documentation. We recommend upgrading to the latest version of Visual Studio. Download it here
Item | Value |
---|---|
TypeName | TransparentMethodsShouldNotLoadAssembliesFromByteArrays |
CheckId | CA2144 |
Category | Microsoft.Security |
Breaking Change | Breaking |
Cause
A transparent method loads an assembly from a byte array using one of the following methods:
Rule Description
The security review for transparent code is not as thorough as the security review for critical code, because transparent code cannot perform security sensitive actions. Assemblies loaded from a byte array might not be noticed in transparent code, and that byte array might contain critical, or more importantly safe-critical code, that does need to be audited. Therefore, transparent code should not load assemblies from a byte array.
How to Fix Violations
To fix a violation of this rule, mark the method that is loading the assembly with the SecurityCriticalAttribute or the SecuritySafeCriticalAttribute attribute.
When to Suppress Warnings
Do not suppress a warning from this rule.
Example
The rule fires on the following code because a transparent method loads an assembly from a byte array.
using System;
using System.IO;
using System.Reflection;
namespace TransparencyWarningsDemo
{
public class TransparentMethodsLoadAssembliesFromByteArraysClass
{
public void TransparentMethod()
{
byte[] assemblyBytes = File.ReadAllBytes("DependentAssembly.dll");
// CA2144 violation - transparent code loading an assembly via byte array. The fix here is to
// either make TransparentMethod critical or safe-critical.
Assembly dependent = Assembly.Load(assemblyBytes);
}
}
}