Edit

Share via


CA2234: Pass System.Uri objects instead of strings

Property Value
Rule ID CA2234
Title Pass System.Uri objects instead of strings
Category Usage
Fix is breaking or non-breaking Non-breaking
Enabled by default in .NET 9 No

Cause

A call is made to a method that has a string parameter whose name contains "uri", "Uri", "urn", "Urn", "url", or "Url" and the declaring type of the method contains a corresponding method overload that has a System.Uri parameter.

By default, this rule only looks at externally visible methods and types, but this is configurable.

Rule description

A parameter name is split into tokens based on the camel casing convention, and then each token is checked to see whether it equals "uri", "Uri", "urn", "Urn", "url", or "Url". If there is a match, the parameter is assumed to represent a uniform resource identifier (URI). A string representation of a URI is prone to parsing and encoding errors, and can lead to security vulnerabilities. The Uri class provides these services in a safe and secure manner. When there is a choice between two overloads that differ only regarding the representation of a URI, the user should choose the overload that takes a Uri argument.

How to fix violations

To fix a violation of this rule, call the overload that takes the Uri argument.

When to suppress warnings

It is safe to suppress a warning from this rule if the string parameter does not represent a URI.

Suppress a warning

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

#pragma warning disable CA2234
// The code that's violating the rule is on this line.
#pragma warning restore CA2234

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

[*.{cs,vb}]
dotnet_diagnostic.CA2234.severity = none

For more information, see How to suppress code analysis warnings.

Configure code to analyze

Use the following option to configure which parts of your codebase to run this rule on.

You can configure this option for just this rule, for all rules it applies to, or for all rules in this category (Usage) that it applies to. For more information, see Code quality rule configuration options.

Include specific API surfaces

You can configure which parts of your codebase to run this rule on, based on their accessibility. For example, to specify that the rule should run only against the non-public API surface, add the following key-value pair to an .editorconfig file in your project:

dotnet_code_quality.CAXXXX.api_surface = private, internal

Example

The following example shows a method, ErrorProne, that violates the rule and a method, SaferWay, that correctly calls the Uri overload:

Imports System

Namespace ca2234

    Class History

        Friend Sub AddToHistory(uriString As String)
        End Sub

        Friend Sub AddToHistory(uriType As Uri)
        End Sub

    End Class

    Public Class Browser

        Dim uriHistory As New History()

        Sub ErrorProne()
            uriHistory.AddToHistory("http://www.adventure-works.com")
        End Sub

        Sub SaferWay()
            Try
                Dim newUri As New Uri("http://www.adventure-works.com")
                uriHistory.AddToHistory(newUri)
            Catch uriException As UriFormatException
            End Try
        End Sub

    End Class

End Namespace
class History
{
    internal void AddToHistory(string uriString) { }
    internal void AddToHistory(Uri uriType) { }
}

public class Browser
{
    History uriHistory = new History();

    public void ErrorProne()
    {
        uriHistory.AddToHistory("http://www.adventure-works.com");
    }

    public void SaferWay()
    {
        try
        {
            Uri newUri = new Uri("http://www.adventure-works.com");
            uriHistory.AddToHistory(newUri);
        }
        catch (UriFormatException) { }
    }
}