Gendarme's Code Access Security (CAS) rules are located in the Gendarme.Rules.Security.Cas.dll assembly. Latest sources are available from anonymous SVN (http://anonsvn.mono-project.com/viewcvs/trunk/mono-tools/gendarme/rules/Gendarme.Rules.Security.Cas/).

1.1 ArrayFieldsShouldNotBeReadOnlyRule
1.2 DoNotShortCircuitCertificateCheckRule
1.3 NativeFieldsShouldNotBeVisibleRule
1.4 StaticConstructorsShouldBePrivateRule

Rules

ArrayFieldsShouldNotBeReadOnlyRule

This rule warns if a type declares a public readonly array field. Marking a field readonly only prevents the field from being assigned a different value, the object itself can still be changed. This means, that the elements inside the array can still be changed.

Bad example:

class Bad {
    public readonly string[] Array = new string[] { "A", "B" };
}
 
HasPublicReadonlyArray obj = HasPublicReadonlyArray ();
obj.Array[0] = "B"; // valid

Good example:

class Good {
    private readonly string[] array = new string[] { "A", "B" };
    public string[] GetArray ()
    {
        return (string []) array.Clone();
    }
}
 
string[] obj = new HasPublicReadonlyArray ().GetArray ();
obj [0] = "B"; // valid, but has no effect on other users

DoNotShortCircuitCertificateCheckRule

This rule checks for methods that implements pass-through certificate checks. I.e. methods that override the framework decision about a certificate validity without checking anything specific about the supplied certificate or error code. Protocols like TLS/SSL are only secure if the certificates are used correctly.

Bad example (ICertificatePolicy):

public class AcceptEverythingCertificatePolicy : ICertificatePolicy {
    public bool CheckValidationResult (ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem)
    {
        // this accepts everything making it easy for MITM
        // (Man-in-the-middle) attacks
        return true;
    }
}

Good example (ICertificatePolicy):

public class AllowSpecificCertificatePolicy : ICertificatePolicy {
    public bool CheckValidationResult (ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem)
    {
        // this accept only a specific certificate, even if others would be ok
        return (certificate.GetCertHashString () == "D62F48D013EE7FB58B79074512670D9C5B3A5DA9");
    }
}

Bad example (RemoteCertificateValidationCallback):

public bool CertificateValidationCallback (object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
    // this accepts everything making it easy for MITM
    // (Man-in-the-middle) attacks
    return true;
}
 
SslStream ssl = new SslStream (stream, false, new RemoteCertificateValidationCallback (CertificateValidationCallback), null);

Good example (RemoteCertificateValidationCallback):

public bool CertificateValidationCallback (object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
    // this accept only a specific certificate, even if others would be ok
    return (certificate.GetCertHashString () == "D62F48D013EE7FB58B79074512670D9C5B3A5DA9");
}
 
SslStream ssl = new SslStream (stream, false, new RemoteCertificateValidationCallback (CertificateValidationCallback), null);

Notes

This rule is available since Gendarme 2.4

NativeFieldsShouldNotBeVisibleRule

This rule checks if a class exposes native fields. Native fields should not be public because you lose control over their lifetime (other code could free the memory or use it after it has been freed).

Bad example:

public class HasPublicNativeField {
    public IntPtr NativeField;
}

Good example (hide):

class HasPrivateNativeField {
    private IntPtr NativeField;
    public void DoSomethingWithNativeField ();
}

Good example (read-only):

class HasReadOnlyNativeField {
    public readonly IntPtr NativeField;
}

StaticConstructorsShouldBePrivateRule

To avoid calls from user code, all static constructors must be private. C# allows only private static constructors but some .NET languages (including VB .NET) do permit defining non-private static constructors (Shared in VB.NET), which is not a good practice.

Bad example (VB.NET):

Public Class PublicCctor
Public Shared Sub New ()
End Sub
End Class

Good example (C#):

public class PrivateCctor {
    ~PrivateCctor () { } // it is private
}

Good example (VB.NET):

Public Class PrivateCctor
Private Shared Sub New ()
End Sub
End Class

Feedback

Please report any documentation errors, typos or suggestions to the Gendarme Google Group (http://groups.google.com/group/gendarme). Thanks!

Mono

Gendarme.Rules.Security.Cas

Table of Contents