A struct type is a value type that is typically used to encapsulate small groups of related variables. Structs inherit from System.ValueType. This type overrides Equals and GetHashCode. The implementation of Equals calls Equals on each field and returns true if all fields are equal. If there are no GC references in this object it avoids reflection and uses memcmp (code). GetHashCode is a a little bit…[read more]

Counting characters may seems trivial. You can just use the string.Length property, can't you? Unfortunately, this is not that trivial. If you remember my previous post about comparing strings, you know that strings can be very tricky 😃 Let's use the character 👨‍👩‍👧‍👦. The "Family: Man, Woman, Girl, Boy" emoji is a sequence of the 👨 Man, 👩 Woman, 👧 Girl and 👦 Boy emojis. These are combined using…[read more]

Lots of applications use XML files. For instance, this blog has RSS and Atom feeds that are XML documents. Application can communicate using SOAP. You can use XML serialization. But most the applications use only a subset of the XML features. When you start exploring the rest of the specification, you can find some possible vulnerabilities when dealing with XML documents! Let's explore some of them and…[read more]

In a previous post, I wrote about using an .editorfile to define the coding style. Visual Studio understands this file and provides quick fixes to make your code match the coding style. You can easily rename symbols and add spaces where it's needed. However, it's easy to miss some warnings and commit a code that doesn't match the coding style. In this post I'll show you how to enforce the coding style by…[read more]

Some action requires the process to run with administrator rights. For instance, if you want to write a key in HKLM or change system settings, or write a file in Program Files. You should avoid doing that if possible, but sometimes you have to do it. Check if the current process run as administrator There are multiple ways to check whether a process runs as administrator: public bool…[read more]

In the previous post, I wrote about zip bombs. It was about not extracting files that are too big. One of the points of the previous post was about not trusting the zip entry headers. The vulnerability I'll explain in this post is quite the same. This time it's about the path traversal. A zip file contains a flat list of entries. Each entry contains the path of the file (e.g. folder/subfolder/sample.txt),…[read more]

If your website allows the user to upload a zip file that will be extracted on the server, you should be very careful. Often websites are protected again uploading big files. By default, Kestrel and IIS limit the size of a request to 30MB. Apache and nginx also have limits. However, this limit only applied to the uploaded file, not to its decompressed size. In the case of a zip file, a 10MB file can be…[read more]

Serialization is the process of converting an object into a stream of bytes to store the object or transmit it to memory, a database, or a file. It is very handy to store data and load them later or to transfer data between 2 systems. The .NET frameworks comes with multiple serializers including BinaryFormatter, JavaScriptSerializer, XmlSerializer, DataContractSerializer. While it is easy to serialize and…[read more]

If you have ever bound an ObservableCollection<T> to a WPF control, you know it's hard to add or remove items from multi-threads. Indeed, the UI expects the events to be raised on the UI thread. Also, you should not change the collection until the change event is processed by the UI. This means your algorithm is blocked until the UI process the events. This could slow down your processing as multiple…[read more]

While I prefer testing the public API of an assembly, it's sometimes useful to test the implementation details. So, an attribute that I often use is [assembly: InternalsVisibleTo("MyAssembly.Tests")] to allow the test assembly to use internal classes or methods. A convention is to declare assembly attribute in the file AssemblyInfo.cs. With the new SDK-based project, there is no AssemblyInfo.cs by default…[read more]