CA5375: Do not use account shared access signature

Property Value
Rule ID CA5375
Title Do not use account shared access signature
Category Security
Fix is breaking or non-breaking Non-breaking
Enabled by default in .NET 8 No

Cause

Generating an account Shared Access Signature (SAS) with the GetSharedAccessSignature method under the Microsoft.WindowsAzure.Storage namespace.

Rule description

An account SAS can delegate access to read, write, and delete operations on blob containers, tables, queues, and file shares that are not permitted with a service SAS. However, it doesn't support container-level policies and has less flexibility and control over the permissions that are granted. If possible, use a service SAS for fine grained access control. For more information, see Delegate access with a shared access signature.

How to fix violations

Use a service SAS instead of an account SAS for fine grained access control and container-level access policy.

When to suppress warnings

It is safe to suppress this rule if you're sure that the permissions of all resources are as restricted as possible.

Suppress a warning

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

#pragma warning disable CA5375
// The code that's violating the rule is on this line.
#pragma warning restore CA5375

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

[*.{cs,vb}]
dotnet_diagnostic.CA5375.severity = none

For more information, see How to suppress code analysis warnings.

Pseudo-code examples

Violation

At present, the following pseudo-code sample illustrates the pattern detected by this rule.

using System;
using Microsoft.WindowsAzure.Storage;

class ExampleClass
{
    public void ExampleMethod(SharedAccessAccountPolicy policy)
    {
        CloudStorageAccount cloudStorageAccount = new CloudStorageAccount();
        cloudStorageAccount.GetSharedAccessSignature(policy);
    }
}

Solution

Instead of account SAS, use service SAS.

using System;
using Microsoft.WindowsAzure.Storage;
using Microsoft.WindowsAzure.Storage.File;

class ExampleClass
{
    public void ExampleMethod(StorageCredentials storageCredentials, SharedAccessFilePolicy policy, SharedAccessFileHeaders headers, string groupPolicyIdentifier, IPAddressOrRange ipAddressOrRange)
    {
        CloudFile cloudFile = new CloudFile(storageCredentials);
        SharedAccessProtocol protocols = SharedAccessProtocol.HttpsOnly;
        cloudFile.GetSharedAccessSignature(policy, headers, groupPolicyIdentifier, protocols, ipAddressOrRange);
    }
}

CA5376: Use SharedAccessProtocol HttpsOnly

CA5377: Use container level access policy