Find all methods with no security check
I am working on code view. We have code that looks something like this:
public int MyMethod(Message message)
{
// Check that the user has the access to the function
CheckUserHasAccessToFunction(UserName, FunctionName);
// Do the work
}
I'm wondering if it is possible to find all the methods that are missing the CheckUserHasAccessToFunction. For example using regular expressions.
Which function name we are testing will differ from method to method. The mapping between function name and method is part of the business logic that we have implemented in code.
source to share
I think you need to refactor your code in such a way that you don't need to include this security check manually in every method, because as you can see, you cannot be sure that all methods perform this security check.
Have you ever worked with a proxy? If so, you can add an interceptor that automatically checks for security. If not, tell me, then I'll give you an example code snippet.
Edit: Here is some sample code that uses a proxy (using Castle.DynamicProxy ).
public class MyService
{
// The method must be virtual.
public virtual DoSomethingWhichRequiresAuthorization()
{
}
}
public static class MyServiceFactory
{
private static ProxyGenerator _generator;
private static ProxyGenerator Generator
{
get
{
if (_generator == null) _generator = new ProxyGenerator();
return _generator;
}
}
public static MyService Create()
{
var interceptor = new AuthorizationInterceptor();
return (MyService)Generator.CreateClassProxy(
typeof(MyService), new[] { interceptor });
}
}
public class AuthorizationInterceptor : IInterceptor
{
public void Intercept(IInvocation invocation)
{
// invocation.Method contains the MethodInfo
// of the actually called method.
AuthorizeMethod(invocation.Method);
}
}
source to share