CA5393: Do not use unsafe DllImportSearchPath value

Property Value
Rule ID CA5393
Title Do not use unsafe DllImportSearchPath value
Category Security
Fix is breaking or non-breaking Non-breaking
Enabled by default in .NET 8 No

Cause

Using one of the unsafe values of <xref:System.Runtime.InteropServices.DllImportSearchPath?displayProperty=fullName:

  • AssemblyDirectory
  • UseDllDirectoryForDependencies
  • ApplicationDirectory
  • LegacyBehavior

Rule description

There could be a malicious DLL in the default DLL search directories and assembly directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory.

For more information, see Load Library Safely.

How to fix violations

Use safe values of DllImportSearchPath to specify an explicit search path instead:

  • SafeDirectories
  • System32
  • UserDirectories

When to suppress warnings

It's safe to suppress this rule if:

  • You're sure the loaded assembly is what you want.
  • The imported assembly is a commonly used system assembly, like user32.dll, and the search path strategy follows the Known DLLs mechanism.

Suppress a warning

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

#pragma warning disable CA5393
// The code that's violating the rule is on this line.
#pragma warning restore CA5393

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

[*.{cs,vb}]
dotnet_diagnostic.CA5393.severity = none

For more information, see How to suppress code analysis warnings.

Configure code to analyze

Use the following option to configure which parts of your codebase to run this rule on.

You can configure this option for just this rule, for all rules it applies to, or for all rules in this category (Security) that it applies to. For more information, see Code quality rule configuration options.

Unsafe DllImportSearchPath bits

You can configure which value of DllImportSearchPath is unsafe for the analysis. For example, to specify that the code should not use AssemblyDirectory, UseDllDirectoryForDependencies or ApplicationDirectory, add the following key-value pair to an .editorconfig file in your project:

dotnet_code_quality.CA5393.unsafe_DllImportSearchPath_bits = 770

You should specify the integer value of a bitwise combination of the enumeration's values.

Pseudo-code examples

using System;
using System.Runtime.InteropServices;

class ExampleClass
{
    [DllImport("The3rdAssembly.dll")]
    [DefaultDllImportSearchPaths(DllImportSearchPath.AssemblyDirectory)]
    public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type);

    public void ExampleMethod()
    {
        MessageBox(new IntPtr(0), "Hello World!", "Hello Dialog", 0);
    }
}

Solution

using System;
using System.Runtime.InteropServices;

class ExampleClass
{
    [DllImport("The3rdAssembly.dll")]
    [DefaultDllImportSearchPaths(DllImportSearchPath.UserDirectories)]
    public static extern int MessageBox(IntPtr hWnd, String text, String caption, uint type);

    public void ExampleMethod()
    {
        MessageBox(new IntPtr(0), "Hello World!", "Hello Dialog", 0);
    }
}

CA5392: Use DefaultDllImportSearchPaths attribute for P/Invokes