We have been tasked with running security audit scans on our MVC web applications with IBM AppScan and OWASP ZAP. We've been able to understand and mitigate 99% of the vulnerabilities highlighted by these tools, but I've come across one that has me stumped. In one of our projects, we have a few custom data validation classes that implement the System.ComponentModel.DataAnnotations.ValidationAttribute. The general pattern of these classes is:
[AttributeUsage(AttributeTargets.Property | AttributeTargets.Field | AttributeTargets.Parameter)]
public class WhateverAttribute : ValidationAttribute
{
public Type ServiceType { get; set; }
public string ServiceValidationMethodName { get; set; }
protected override ValidationResult IsValid(object value, ValidationContext context)
{
if(value == null)
return ValidationResult.Success;
var service = DependencyResolver.Current.GetService(ServiceType);
if(service == null)
throw new ArgumentNullException("....");
var instanceType = context.ObjectInstance.GetType();
var valueType = value.GetType();
var method = ServiceType.GetMethod(ServiceValidationMethodName, new [] { instanceType, valueType });
if(method == null)
throw new ArgumentNullException("....");
var isValid = (bool)method.Invoke(service, new[] { context.ObjectInstance, value });
return isValid ? ValidationResult.Success : CreateValidationError(context);
}
}
AppScan flags the line that actually invokes the validation method with a "Malicious DynamicCode Execution" vulnerability. I've done a bit of reading around the interwebs and cannot puzzle out whether or not using reflection to invoke methods in this context is a security risk. Is it? If so, how can it be mitigated? If not, what do I tell my security team to convince them that we are OK?
Aucun commentaire:
Enregistrer un commentaire