CS.BANNED.PARSE

Do not use Parse.

This rule flags on uses of the Parse method on types that support TryParse.

Note: Support for TryParse on several types in .NET Framework 1.1 and 1.0 is very different compared to version 2.0 and later. For that reason, many types do not support TryParse (or support with only 1 overload) in version 1.1 and 1.0. See MSDN online help for more information.

Vulnerability and risk

The parsed numbers can often come from unreliable sources, and so this may pose a security risk.

External guidance

OWASP A9:2017 Using Components with Known Vulnerabilities

Mitigation and prevention

It is recommended to have a check for the result of the parse and explicitly throw an exception. Using TryParse can ensure that the developer is aware of the fact that there can be an exception thrown.

Vulnerable code example

Copy

1
2
3
4
5
6
  public void SampleMethod(string s)
  {
      // your code here
      double doubleVal = Double.Parse(s); // Violation
      // your code here
  }

Fixed code example

Copy

1
2
3
4
5
6
7
8
9
10
  public void SampleMethod(string s)
  {
      // your code here
      double doubleVal;
      bool result;
  #if NET20
      result = Double.TryParse(s, out doubleVal);  // Fixed
  #endif
      // your code here
 }