Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

C# static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your C# code

Filtered: 82 rules found

cwe

Reflection should not be vulnerable to injection attacks

Vulnerability

MajorSonarSource default severity
click to learn more

Why is this an issue?

Reflection injections occur in a web application when it retrieves data from a user or a third-party service and fully or partially uses it to inspect, load or invoke a component by name.

If an application uses a reflection method in a way that is vulnerable to injections, it is exposed to attacks that aim to achieve remote code execution on the server’s website.

A user with malicious intent exploits this by carefully crafting a string involving symbols such as class methods, that will help them change the initial reflection logic to an impactful malicious one.

After creating the malicious request and triggering it, the attacker can attack the servers affected by this vulnerability without relying on any pre-requisites.

What is the potential impact?

If user-supplied values are used to choose which code is executed, an attacker may be able to supply carefully-chosen values that cause unexpected code to run. The attacker can use this ability to run arbitrary code on the server.

Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the vulnerability.

Application-specific attacks

In this scenario, the attackers succeed in injecting a seemingly-legitimate object, but whose properties might be used maliciously.

Depending on the application, attackers might be able to modify important data structures or content to escalate privileges or perform unwanted actions. For example, with an e-commerce application, this could be changing the number of products or prices.

Full application compromise

In the worst-case scenario, the attackers succeed in injecting an object triggering code execution.

Depending on the attacker, code execution can be used with different intentions:

Download the internal server’s data, most likely to sell it.
Modify data, install malware, for instance, malware that mines cryptocurrencies.
Stop services or exhaust resources, for instance, with fork bombs.

This threat is particularly insidious if the attacked organization does not maintain a Disaster Recovery Plan (DRP).

Root privilege escalation and pivot

In this scenario, the attacker can do everything described in the previous section. The difference is that the attacker additionally manages to elevate their privileges as an administrator and attack other servers.

Here, the impact depends on how much the target company focuses on its Defense In Depth. For example, the entire infrastructure can be compromised through a combination of unsafe deserialization and misconfiguration:

Docker or Kubernetes clusters
cloud services
network firewalls and routing
OS access control

How to fix it in .NET

Code examples

In the following example, the code simulates a feature in an image editing application that allows users to install plugins to add new filters or effects. It assumes the user will give a known name, such as "SepiaEffect".

Noncompliant code example

public class ExampleController : Controller
{
    public IActionResult Apply(string EffectName)
    {
        var EffectInstance  = Activator.CreateInstance(null, EffectName); // Noncompliant
        object EffectPlugin = EffectInstance.Unwrap();

        if ( ((IEffect)EffectPlugin).ApplyFilter() )
        {
            return Ok();
        }
        else
        {
            return Problem();
        }
    }
}

public interface IEffect
{
    bool ApplyFilter();
}

Compliant solution

public class ExampleController : Controller
{
    private static readonly string[] EFFECT_ALLOW_LIST = {
        "SepiaEffect",
        "BlackAndWhiteEffect",
        "WaterColorEffect",
        "OilPaintingEffect"
    };

    public IActionResult Apply(string EffectName)
    {
        if (!EFFECT_ALLOW_LIST.Contains(EffectName))
        {
            return BadRequest("Invalid effect name. The effect is not allowed.");
        }

        var EffectInstance  = Activator.CreateInstance(null, EffectName);
        object EffectPlugin = EffectInstance.Unwrap();

        if ( ((IEffect)EffectPlugin).ApplyFilter() )
        {
            return Ok();
        }
        else
        {
            return Problem();
        }
    }
}

public interface IEffect
{
    bool ApplyFilter();
}

How does this work?

Pre-Approved commands

The cleanest way to avoid this defect is to validate the input before using it in a reflection method.

Create a list of authorized and secure classes that you want the application to be able to execute.
If a user input does not match an entry in this list, it should be rejected because it is considered unsafe.

Important note: The application must do validation on the server side. Not on client-side front-ends.

Resources

Standards

OWASP Top 10 2021 Category A3 - Injection
OWASP Top 10 2017 Category A1 - Injection
MITRE, CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Available In:

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Developer
Edition

In-IDE

SaaS

Self-Hosted