Bad dynamic call¶
ID: cs/invalid-dynamic-callKind: problemSecurity severity: Severity: errorPrecision: mediumTags: - quality - reliability - correctness - external/cwe/cwe-628Query suites: - csharp-security-and-quality.qls
Click to see the query in the CodeQL repository
Method calls on variables declared with type ‘dynamic’ are resolved at runtime rather than compile-time - the actual type of the instance is determined, and an attempt is made to call a method on that type with the appropriate signature. If such a method does not exist, aRuntimeBinderException is thrown.
This rule identifies calls to instances with thedynamic type where it can be statically determined that the call will throw aRuntimeBinderException.
Recommendation¶
Ensure it is not possible to make a call to a dynamic instance of a type that lacks the appropriate method signature for handling that call.
Example¶
In this example the program attempts to callFoo on a class that doesn’t have aFoo method. This program is guaranteed to fail at runtime with aRuntimeBinderException.
classBadDynamicCall{classWithFoo{publicvoidFoo(inti){}}classWithoutFoo{}publicstaticvoidMain(string[]args){dynamico=newWithoutFoo();o.Foo(3);}}
References¶
MSDN:dynamic (C# Reference).
Common Weakness Enumeration:CWE-628.