CS.SV.TRANSP.SEC

Transparent methods should not use security demands.

Security transparent code should not be responsible for verifying the security of an operation, and therefore should not demand permissions. Security transparent code should use full demands to make security decisions and safe-critical code should not rely on transparent code to have made the full demand. Any code that performs security checks, such as security demands, should be safe-critical instead.

Vulnerability and risk

In general, to fix a violation of this rule, mark the method with the SecuritySafeCriticalAttribute attribute. You can also remove the demand.

Vulnerable code example

Copy

2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
  using System;
  using System.Security;
  using System.Security.Permissions;
  
  namespace TransparencyWarningsDemo
  {
  
      public class TransparentMethodDemandClass
     {
         // CA2142 violation - transparent code using a Demand.  This can be fixed by making the method safe critical.
         [PermissionSet(SecurityAction.Demand, Unrestricted = true)]
         public void TransparentMethod()
         {
         }
     }
 }

The rule fires on the code because a transparent method makes a declarative security demand.

CS.SV.TRANSP.SEC_DMD

Vulnerability and risk

Vulnerable code example