tags:

views:

61

answers:

2
+2  Q: 

Finding all methods with missing security check

I am working on a code review. We have code that looks similar to this:

    public int MyMethod(Message message)
    {
        // Check that the user has the access to the function
        CheckUserHasAccessToFunction(UserName, FunctionName);

        // Do the work

    }

What I am wondering is: Is it possible to find all methods where the "CheckUserHasAccessToFunction" is missing. For example using regular expressions.

Which function name we test against will vary from method to method. The mapping between the function name and the method is part of the business logic, which we have implemented in code.

+1  A: 

You would probably be better off using Attributes for this, in my opinion.

E.g. 

[RequiresAuth]
public void Method()
{
}

I know this doesn't answer your question well, so apologies for that.

Jimmeh  2009-10-12 12:23:13
+2  A: 

I think you should refactor your code in a way that you do not need to include this security check manually in every method, because - as you see - you cannot be sure if all methods perform this security check.

Have you ever worked with proxies? If so, you could add an interceptor which checks the security for you automatically. If not, tell me, then I will give you an example code snippet.

Edit: Here is a code sample which uses proxies (using Castle.DynamicProxy).

public class MyService
{
    // The method must be virtual.
    public virtual DoSomethingWhichRequiresAuthorization()
    {
    }
}

public static class MyServiceFactory
{
    private static ProxyGenerator _generator;
    private static ProxyGenerator Generator
    {
        get
        {
            if (_generator == null) _generator = new ProxyGenerator();
            return _generator;
        }
    }

    public static MyService Create()
    {
        var interceptor = new AuthorizationInterceptor();

        return (MyService)Generator.CreateClassProxy(
            typeof(MyService), new[] { interceptor });
    }
}

public class AuthorizationInterceptor : IInterceptor
{
    public void Intercept(IInvocation invocation)
    {
        // invocation.Method contains the MethodInfo
        // of the actually called method.
        AuthorizeMethod(invocation.Method);
    }
}
Oliver Hanappi  2009-10-12 12:25:25
Please add the code, will be interesting.
Kyle Rozendo  2009-10-12 12:40:32
Here it is. I've edited my answer.
Oliver Hanappi  2009-10-12 12:52:16
Thanks, very interesting, I will try it out
Shiraz Bhaiji  2009-10-12 13:58:52
Oops, sorry, I forgot to mention that this code snippet uses Castle.DynamicProxy.
Oliver Hanappi  2009-10-12 20:57:07

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?