RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca2153 below:

Code analysis rule CA2153 for Corrupted State Exceptions (code analysis) - .NET

Property Value Rule ID CA2153 Title Avoid handling Corrupted State Exceptions Category Security Fix is breaking or non-breaking Non-breaking Enabled by default in .NET 9 No Cause

Corrupted State Exceptions (CSEs) indicate that memory corruption exists in your process. Catching these rather than allowing the process to crash can lead to security vulnerabilities if an attacker can place an exploit into the corrupted memory region.

Rule description

CSE indicates that the state of a process has been corrupted and not caught by the system. In the corrupted state scenario, a general handler only catches the exception if you mark your method with the System.Runtime.ExceptionServices.HandleProcessCorruptedStateExceptionsAttribute attribute. By default, the Common Language Runtime (CLR) does not invoke catch handlers for CSEs.

The safest option is to allow the process to crash without catching these kinds of exceptions. Even logging code can allow attackers to exploit memory corruption bugs.

This warning triggers when catching CSEs with a general handler that catches all exceptions, for example, catch (System.Exception e) or catch with no exception parameter.

How to fix violations

To resolve this warning, do one of the following:

Remove the HandleProcessCorruptedStateExceptionsAttribute attribute. This reverts to the default run-time behavior where CSEs are not passed to catch handlers.
Remove the general catch handler in preference of handlers that catch specific exception types. This may include CSEs, assuming the handler code can safely handle them (rare).
Rethrow the CSE in the catch handler, which passes the exception to the caller and should result in ending the running process.

When to suppress warnings

Do not suppress a warning from this rule.

Pseudo-code example Violation

The following pseudo-code illustrates the pattern detected by this rule.

[HandleProcessCorruptedStateExceptions]
// Method that handles CSE exceptions.
void TestMethod1()
{
    try
    {
        FileStream fileStream = new FileStream("name", FileMode.Create);
    }
    catch (Exception e)
    {
        // Handle exception.
    }
}

Solution 1 - remove the attribute

Removing the HandleProcessCorruptedStateExceptionsAttribute attribute ensures that Corrupted State Exceptions are not handled by your method.

void TestMethod1()
{
    try
    {
        FileStream fileStream = new FileStream("name", FileMode.Create);
    }
    catch (Exception e)
    {
        // Handle exception.
    }
}

Solution 2 - catch specific exceptions

Remove the general catch handler and catch only specific exception types.

void TestMethod1()
{
    try
    {
        FileStream fileStream = new FileStream("name", FileMode.Create);
    }
    catch (IOException e)
    {
        // Handle IOException.
    }
    catch (UnauthorizedAccessException e)
    {
        // Handle UnauthorizedAccessException.
    }
}

Solution 3 - rethrow

Rethrow the exception.

[HandleProcessCorruptedStateExceptions]
void TestMethod1()
{
    try
    {
        FileStream fileStream = new FileStream("name", FileMode.Create);
    }
    catch (Exception e)
    {
        // Rethrow the exception.
        throw;
    }
}

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4