CA2140: Transparent code must not reference security critical items

Applies to: yesVisual Studio noVisual Studio for Mac

Note

This article applies to Visual Studio 2017. If you're looking for the latest Visual Studio documentation, see Visual Studio documentation. We recommend upgrading to the latest version of Visual Studio. Download it here

Item Value
RuleId CA2140
Category Microsoft.Security
Breaking change Breaking

Cause

A transparent method:

  • handles a security critical security exception type

  • has a parameter that is marked as a security critical type

  • has a generic parameter with a security critical constraints

  • has a local variable of a security critical type

  • references a type that is marked as security critical

  • calls a method that is marked as security critical

  • references a field that is marked as security critical

  • returns a type that is marked as security critical

Note

This rule has been deprecated. For more information, see Deprecated rules.

Rule description

A code element that is marked with the SecurityCriticalAttribute attribute is security critical. A transparent method cannot use a security critical element. If a transparent type attempts to use a security critical type a TypeAccessException, MethodAccessException , or FieldAccessException is raised.

How to fix violations

To fix a violation of this rule, do one of the following:

When to suppress warnings

Do not suppress a warning from this rule.

Example

In the following examples, a transparent method attempts to reference a security critical generic collection, a security critical field, and a security critical method.

using System;
using System.Security;
using System.Collections.Generic;

namespace TransparencyWarningsDemo
{

    [SecurityCritical]
    public class SecurityCriticalClass { }

    public class TransparentMethodsReferenceCriticalCodeClass
    {
        [SecurityCritical]
        private object m_criticalField;

        [SecurityCritical]
        private void CriticalMethod() { }

        public void TransparentMethod()
        {
            // CA2140 violation - transparent method accessing a critical type.  This can be fixed by any of:
            //  1. Make TransparentMethod critical
            //  2. Make TransparentMethod safe critical
            //  3. Make CriticalClass safe critical
            //  4. Make CriticalClass transparent
            List<SecurityCriticalClass> l = new List<SecurityCriticalClass>();

            // CA2140 violation - transparent method accessing a critical field.  This can be fixed by any of:
            //  1. Make TransparentMethod critical
            //  2. Make TransparentMethod safe critical
            //  3. Make m_criticalField safe critical
            //  4. Make m_criticalField transparent
            m_criticalField = l;

            // CA2140 violation - transparent method accessing a critical method.  This can be fixed by any of:
            //  1. Make TransparentMethod critical
            //  2. Make TransparentMethod safe critical
            //  3. Make CriticalMethod safe critical
            //  4. Make CriticalMethod transparent
            CriticalMethod();
        }
    }
}

See also