csharp.lang.correctness.regioninfo.regioninfo-interop.correctness-regioninfo-interop

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Potential inter-process write of RegionInfo $RI via $PIPESTREAM $P that was instantiated with a two-character culture code $REGION. Per .NET documentation, if you want to persist a RegionInfo object or communicate it between processes, you should instantiate it by using a full culture name rather than a two-letter ISO region code.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: correctness-regioninfo-interop
    patterns:
      - pattern-either:
          - pattern: |
              $WRITER.Write($RI);
          - pattern: |
              $WRITER.WriteAsync($RI);
          - pattern: |
              $WRITER.WriteLine($RI);
          - pattern: |
              $WRITER.WriteLineAsync($RI);
      - pattern-inside: |
          RegionInfo $RI = new RegionInfo($REGION);
          ...
          using($PIPESTREAM $P = ...){
            ...
          }
      - metavariable-regex:
          metavariable: $REGION
          regex: ^"\w{2}"$
      - metavariable-regex:
          metavariable: $PIPESTREAM
          regex: (Anonymous|Named)Pipe(Server|Client)Stream
    message: Potential inter-process write of RegionInfo $RI via $PIPESTREAM $P that
      was instantiated with a two-character culture code $REGION.  Per .NET
      documentation, if you want to persist a RegionInfo object or communicate
      it between processes, you should instantiate it by using a full culture
      name rather than a two-letter ISO region code.
    languages:
      - csharp
    severity: WARNING
    metadata:
      references:
        - https://docs.microsoft.com/en-us/dotnet/api/system.globalization.regioninfo.twoletterisoregionname?view=net-6.0#remarks
      technology:
        - .net
      category: correctness
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

regioninfo-interop.cs

using System;
using System.Globalization;

public class SamplesRegionInfo  {

   public static void Main()  {

      // Creates a RegionInfo using the ISO 3166 two-letter code.
      RegionInfo myRI1 = new RegionInfo( "US" );

      // Creates a RegionInfo using a CultureInfo.LCID.
      RegionInfo myRI2 = new RegionInfo( new CultureInfo("en-US",false).LCID );

      using (AnonymousPipeServerStream pipeServer =
                  new AnonymousPipeServerStream(PipeDirection.Out,
                  HandleInheritability.Inheritable)){
      using(StreamWriter sw = new StreamWriter(pipeServer)){
         //ruleid: correctness-regioninfo-interop
         sw.WriteLine(myRI1);
         //ok
         sw.WriteLine(myRI2);
      }}
   }
}