CA5393: Do not use unsafe DllImportSearchPath value
Property | Value |
---|---|
Rule ID | CA5393 |
Title | Do not use unsafe DllImportSearchPath value |
Category | Security |
Fix is breaking or non-breaking | Non-breaking |
Enabled by default in .NET 9 | No |
Cause
Using one of the unsafe values of <xref:System.Runtime.InteropServices.DllImportSearchPath?displayProperty=fullName:
AssemblyDirectory
UseDllDirectoryForDependencies
ApplicationDirectory
LegacyBehavior
Rule description
There could be a malicious DLL in the default DLL search directories and assembly directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory.
For more information, see Load Library Safely.
How to fix violations
Use safe values of DllImportSearchPath to specify an explicit search path instead:
SafeDirectories
System32
UserDirectories
When to suppress warnings
It's safe to suppress this rule if:
- You're sure the loaded assembly is what you want.
- The imported assembly is a commonly used system assembly, like user32.dll, and the search path strategy follows the Known DLLs mechanism.
Suppress a warning
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA5393
// The code that's violating the rule is on this line.
#pragma warning restore CA5393
To disable the rule for a file, folder, or project, set its severity to none
in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA5393.severity = none
For more information, see How to suppress code analysis warnings.
Configure code to analyze
Use the following option to configure which parts of your codebase to run this rule on.
You can configure this option for just this rule, for all rules it applies to, or for all rules in this category (Security) that it applies to. For more information, see Code quality rule configuration options.
Unsafe DllImportSearchPath bits
You can configure which value of DllImportSearchPath is unsafe for the analysis. For example, to specify that the code should not use AssemblyDirectory
, UseDllDirectoryForDependencies
or ApplicationDirectory
, add the following key-value pair to an .editorconfig file in your project:
dotnet_code_quality.CA5393.unsafe_DllImportSearchPath_bits = 770
You should specify the integer value of a bitwise combination of the enumeration's values.
Pseudo-code examples
using System;
using System.Runtime.InteropServices;
class ExampleClass
{
[DllImport("The3rdAssembly.dll")]
[DefaultDllImportSearchPaths(DllImportSearchPath.AssemblyDirectory)]
public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type);
public void ExampleMethod()
{
MessageBox(new IntPtr(0), "Hello World!", "Hello Dialog", 0);
}
}
Solution
using System;
using System.Runtime.InteropServices;
class ExampleClass
{
[DllImport("The3rdAssembly.dll")]
[DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)]
public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type);
public void ExampleMethod()
{
MessageBox(new IntPtr(0), "Hello World!", "Hello Dialog", 0);
}
}
Related rules
CA5392: Use DefaultDllImportSearchPaths attribute for P/Invokes