CA2144: Transparent code should not load assemblies from byte arrays
TypeName |
TransparentMethodsShouldNotLoadAssembliesFromByteArrays |
CheckId |
CA2144 |
Category |
Microsoft.Security |
Breaking Change |
Breaking |
Cause
A transparent method loads an assembly from a byte array using one of the following methods:
Rule Description
The security review for transparent code is not as thorough as the security review for critical code, because transparent code cannot perform security sensitive actions. Assemblies loaded from a byte array might not be noticed in transparent code, and that byte array might contain critical, or more importantly safe-critical code, that does need to be audited. Therefore, transparent code should not load assemblies from a byte array.
How to Fix Violations
To fix a violation of this rule, mark the method that is loading the assembly with the SecurityCriticalAttribute or the SecuritySafeCriticalAttribute attribute.
When to Suppress Warnings
Do not suppress a warning from this rule.
Example
The rule fires on the following code because a transparent method loads an assembly from a byte array.
using System;
using System.IO;
using System.Reflection;
namespace TransparencyWarningsDemo
{
public class TransparentMethodsLoadAssembliesFromByteArraysClass
{
public void TransparentMethod()
{
byte[] assemblyBytes = File.ReadAllBytes("DependentAssembly.dll");
// CA2144 violation - transparent code loading an assembly via byte array. The fix here is to
// either make TransparentMethod critical or safe-critical.
Assembly dependent = Assembly.Load(assemblyBytes);
}
}
}