views:

484

answers:

1

I have a property Foo on a class Bar:

public int Foo
{
   get
   {
      return GetFoo();
   }
   set
   {
      SetFoo(value);
   }
}

Both GetFoo and SetFoo are decorated with [SecurityPermission(SecurityAction.LinkDemand, Flags = SecurityPermissionFlag.UnmanagedCode)].

As a result, FxCop correctly complains that the Foo property (or rather its implicit getter and setter methods) doesn't have the same LinkDemand:

CA2122 : Microsoft.Security : 'Bar.Foo.get()' calls into 'Bar.GetFoo()' which has a LinkDemand. By making this call, 'Bar.GetFoo()' is indirectly exposed to user code. Review the following call stack that might expose a way to circumvent security protection:

However, when I tried to apply the same SecurityPermission attribute to the property to fix this warning, it turned out that properties are not a valid target for this attribute.

How do I fix this FxCop warning properly?


edit: to respond to Eric Lippert's comment "why on earth LinkDemand"?

  1. I wrote a function using Marshal.GetIUnknownForObject, which has LinkDemand for unmanaged code permission.
  2. I ran FxCop, which complained with CA2122
  3. I googled CA2122 looking for hints on what the error means and how to resolve it
  4. In the first first google hit I saw Micheal Fanning's advice to use LinkDemand to resolve the error

After reading your reaction which seems to question my sanity, I quickly guessed that Fanning's advice was not applicable in my case. I have now taken a look at the Demand vs. LinkDemand article and will try to use Demand instead.

+2  A: 

You should be able to apply the attribute to the getter and setter directly, i.e.:

public int Foo
{
   [SecurityPermission(...)]
   get
   {
      return GetFoo();
   }

   [SecurityPermission(...)]
   set
   {
      SetFoo(value);
   }
}
Eric Rosenberger