1 //------------------------------------------------------------------------------
2 // <copyright file="SecurityUtils.cs" company="Microsoft">
3 // Copyright (c) Microsoft Corporation. All rights reserved.
5 //------------------------------------------------------------------------------
11 #if Microsoft_NAMESPACE
12 namespace System
.Windows
.Forms
13 #elif DRAWING_NAMESPACE
14 namespace System
.Drawing
15 #elif Microsoft_PUBLIC_GRAPHICS_LIBRARY
16 namespace System
.Internal
17 #elif SYSTEM_NAMESPACE
21 #elif SYSTEM_DATA_LINQ
22 namespace System
.Data
.Linq
24 namespace System
.Windows
.Forms
28 using System
.Reflection
;
29 using System
.Diagnostics
.CodeAnalysis
;
30 using System
.Security
;
31 using System
.Security
.Permissions
;
34 /// Useful methods to securely call 'dangerous' managed APIs (especially reflection).
35 /// See http://wiki/default.aspx/Microsoft.Projects.DotNetClient.SecurityConcernsAroundReflection
36 /// for more information specifically about why we need to be careful about reflection invocations.
38 internal static class SecurityUtils
{
40 private static volatile ReflectionPermission memberAccessPermission
= null;
41 private static volatile ReflectionPermission restrictedMemberAccessPermission
= null;
43 private static ReflectionPermission MemberAccessPermission
46 if (memberAccessPermission
== null) {
47 memberAccessPermission
= new ReflectionPermission(ReflectionPermissionFlag
.MemberAccess
);
49 return memberAccessPermission
;
53 private static ReflectionPermission RestrictedMemberAccessPermission
{
55 if (restrictedMemberAccessPermission
== null) {
56 restrictedMemberAccessPermission
= new ReflectionPermission(ReflectionPermissionFlag
.RestrictedMemberAccess
);
58 return restrictedMemberAccessPermission
;
62 private static void DemandReflectionAccess(Type type
) {
64 MemberAccessPermission
.Demand();
66 catch (SecurityException
) {
67 DemandGrantSet(type
.Assembly
);
71 [SecuritySafeCritical
]
72 private static void DemandGrantSet(Assembly assembly
) {
73 PermissionSet targetGrantSet
= assembly
.PermissionSet
;
74 targetGrantSet
.AddPermission(RestrictedMemberAccessPermission
);
75 targetGrantSet
.Demand();
78 private static bool HasReflectionPermission(Type type
) {
80 DemandReflectionAccess(type
);
83 catch (SecurityException
) {
91 /// This helper method provides safe access to Activator.CreateInstance.
92 /// NOTE: This overload will work only with public .ctors.
94 internal static object SecureCreateInstance(Type type
) {
95 return SecureCreateInstance(type
, null, false);
100 /// This helper method provides safe access to Activator.CreateInstance.
101 /// Set allowNonPublic to true if you want non public ctors to be used.
103 internal static object SecureCreateInstance(Type type
, object[] args
, bool allowNonPublic
) {
105 throw new ArgumentNullException("type");
108 BindingFlags flags
= BindingFlags
.Instance
| BindingFlags
.Public
| BindingFlags
.CreateInstance
;
110 // if it's an internal type, we demand reflection permission.
111 if (!type
.IsVisible
) {
112 DemandReflectionAccess(type
);
114 else if (allowNonPublic
&& !HasReflectionPermission(type
)) {
115 // Someone is trying to instantiate a public type in *our* assembly, but does not
116 // have full reflection permission. We shouldn't pass BindingFlags.NonPublic in this case.
117 // The reason we don't directly demand the permission here is because we don't know whether
118 // a public or non-public .ctor will be invoked. We want to allow the public .ctor case to
120 allowNonPublic
= false;
123 if (allowNonPublic
) {
124 flags
|= BindingFlags
.NonPublic
;
127 return Activator
.CreateInstance(type
, flags
, null, args
, null);
130 #if (!Microsoft_NAMESPACE)
133 /// This helper method provides safe access to Activator.CreateInstance.
134 /// NOTE: This overload will work only with public .ctors.
136 internal static object SecureCreateInstance(Type type
, object[] args
) {
137 return SecureCreateInstance(type
, args
, false);
142 /// Helper method to safely invoke a .ctor. You should prefer SecureCreateInstance to this.
143 /// Set allowNonPublic to true if you want non public ctors to be used.
145 internal static object SecureConstructorInvoke(Type type
, Type
[] argTypes
, object[] args
, bool allowNonPublic
) {
146 return SecureConstructorInvoke(type
, argTypes
, args
, allowNonPublic
, BindingFlags
.Default
);
150 /// Helper method to safely invoke a .ctor. You should prefer SecureCreateInstance to this.
151 /// Set allowNonPublic to true if you want non public ctors to be used.
152 /// The 'extraFlags' parameter is used to pass in any other flags you need,
153 /// besides Public, NonPublic and Instance.
155 internal static object SecureConstructorInvoke(Type type
, Type
[] argTypes
, object[] args
,
156 bool allowNonPublic
, BindingFlags extraFlags
) {
158 throw new ArgumentNullException("type");
161 // if it's an internal type, we demand reflection permission.
162 if (!type
.IsVisible
) {
163 DemandReflectionAccess(type
);
165 else if (allowNonPublic
&& !HasReflectionPermission(type
)) {
166 // Someone is trying to invoke a ctor on a public type, but does not
167 // have full reflection permission. We shouldn't pass BindingFlags.NonPublic in this case.
168 allowNonPublic
= false;
171 BindingFlags flags
= BindingFlags
.Instance
| BindingFlags
.Public
| BindingFlags
.NonPublic
| extraFlags
;
172 if (!allowNonPublic
) {
173 flags
&= ~BindingFlags
.NonPublic
;
176 ConstructorInfo ctor
= type
.GetConstructor(flags
, null, argTypes
, null);
178 return ctor
.Invoke(args
);
184 private static bool GenericArgumentsAreVisible(MethodInfo method
) {
185 if (method
.IsGenericMethod
) {
186 Type
[] parameterTypes
= method
.GetGenericArguments();
187 foreach (Type type
in parameterTypes
) {
188 if (!type
.IsVisible
) {
197 /// This helper method provides safe access to FieldInfo's GetValue method.
199 internal static object FieldInfoGetValue(FieldInfo field
, object target
) {
200 Type type
= field
.DeclaringType
;
202 // Type is null for Global fields.
203 if (!field
.IsPublic
) {
204 DemandGrantSet(field
.Module
.Assembly
);
206 } else if (!(type
!= null && type
.IsVisible
&& field
.IsPublic
)) {
207 DemandReflectionAccess(type
);
209 return field
.GetValue(target
);
213 /// This helper method provides safe access to MethodInfo's Invoke method.
215 internal static object MethodInfoInvoke(MethodInfo method
, object target
, object[] args
) {
216 Type type
= method
.DeclaringType
;
218 // Type is null for Global methods. In this case we would need to demand grant set on
219 // the containing assembly for internal methods.
220 if (!(method
.IsPublic
&& GenericArgumentsAreVisible(method
))) {
221 DemandGrantSet(method
.Module
.Assembly
);
223 } else if (!(type
.IsVisible
&& method
.IsPublic
&& GenericArgumentsAreVisible(method
))) {
224 // this demand is required for internal types in system.dll and its friend assemblies.
225 DemandReflectionAccess(type
);
227 return method
.Invoke(target
, args
);
231 /// This helper method provides safe access to ConstructorInfo's Invoke method.
232 /// Constructors can't be generic, so we don't check if argument types are visible
234 internal static object ConstructorInfoInvoke(ConstructorInfo ctor
, object[] args
) {
235 Type type
= ctor
.DeclaringType
;
236 if ((type
!= null) && !(type
.IsVisible
&& ctor
.IsPublic
)) {
237 DemandReflectionAccess(type
);
239 return ctor
.Invoke(args
);
243 /// This helper method provides safe access to Array.CreateInstance.
245 internal static object ArrayCreateInstance(Type type
, int length
) {
246 if (!type
.IsVisible
) {
247 DemandReflectionAccess(type
);
249 return Array
.CreateInstance(type
, length
);