CA2234: Pass System.Uri objects instead of strings
| Property | Value |
|---|---|
| Rule ID | CA2234 |
| Title | Pass System.Uri objects instead of strings |
| Category | Usage |
| Fix is breaking or non-breaking | Non-breaking |
| Enabled by default in .NET 8 | No |
Cause
A call is made to a method that has a string parameter whose name contains "uri", "Uri", "urn", "Urn", "url", or "Url" and the declaring type of the method contains a corresponding method overload that has a System.Uri parameter.
By default, this rule only looks at externally visible methods and types, but this is configurable.
Rule description
A parameter name is split into tokens based on the camel casing convention, and then each token is checked to see whether it equals "uri", "Uri", "urn", "Urn", "url", or "Url". If there is a match, the parameter is assumed to represent a uniform resource identifier (URI). A string representation of a URI is prone to parsing and encoding errors, and can lead to security vulnerabilities. The Uri class provides these services in a safe and secure manner. When there is a choice between two overloads that differ only regarding the representation of a URI, the user should choose the overload that takes a Uri argument.
How to fix violations
To fix a violation of this rule, call the overload that takes the Uri argument.
When to suppress warnings
It is safe to suppress a warning from this rule if the string parameter does not represent a URI.
Suppress a warning
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA2234
// The code that's violating the rule is on this line.
#pragma warning restore CA2234
To disable the rule for a file, folder, or project, set its severity to none in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA2234.severity = none
For more information, see How to suppress code analysis warnings.
Configure code to analyze
Use the following option to configure which parts of your codebase to run this rule on.
You can configure this option for just this rule, for all rules it applies to, or for all rules in this category (Usage) that it applies to. For more information, see Code quality rule configuration options.
Include specific API surfaces
You can configure which parts of your codebase to run this rule on, based on their accessibility. For example, to specify that the rule should run only against the non-public API surface, add the following key-value pair to an .editorconfig file in your project:
dotnet_code_quality.CAXXXX.api_surface = private, internal
Example
The following example shows a method, ErrorProne, that violates the rule and a method, SaferWay, that correctly calls the Uri overload:
Imports System
Namespace ca2234
Class History
Friend Sub AddToHistory(uriString As String)
End Sub
Friend Sub AddToHistory(uriType As Uri)
End Sub
End Class
Public Class Browser
Dim uriHistory As New History()
Sub ErrorProne()
uriHistory.AddToHistory("http://www.adventure-works.com")
End Sub
Sub SaferWay()
Try
Dim newUri As New Uri("http://www.adventure-works.com")
uriHistory.AddToHistory(newUri)
Catch uriException As UriFormatException
End Try
End Sub
End Class
End Namespace
class History
{
internal void AddToHistory(string uriString) { }
internal void AddToHistory(Uri uriType) { }
}
public class Browser
{
History uriHistory = new History();
public void ErrorProne()
{
uriHistory.AddToHistory("http://www.adventure-works.com");
}
public void SaferWay()
{
try
{
Uri newUri = new Uri("http://www.adventure-works.com");
uriHistory.AddToHistory(newUri);
}
catch (UriFormatException) { }
}
}
