Erroneous class compare¶
ID: cs/class-name-comparisonKind: problemSecurity severity: Severity: warningPrecision: mediumTags: - quality - reliability - correctness - external/cwe/cwe-486Query suites: - csharp-security-and-quality.qls
Click to see the query in the CodeQL repository
Checking the type of an object on its type’s name is not robust to future changes, and may allow an attacker to inject a malicious class.
Recommendation¶
Implement a check of the object’s type that is not solely based on its class name.
Example¶
In this example the type of the account is checked purely based on class name and is not reliable.
It would be more appropriate to check the type ofaccount like so:
classErroneousClassCompareFix{publicstaticvoidApproveTransaction(objectaccount,Transactiontransaction){if(account.GetType()==typeof(Trusted.Bank.Account)){transaction.Process();}}}