Hi Jordan, 1) Detection of the strings will be the really difficult part (It is likely impossible to do generically). A few questions to consider. How do you determine if a string was "obtained from the outside"? How do you determine if a string was passed through your sanitizing function? Normally to determine the answers to these questions takes a skilled programmer examining the code, and the control flow. This is typically not something that can be easily automated.
2) Modifying the assembly to force the string through a method call is certainly do-able with Mono.Cecil. On Tuesday, January 2, 2018 at 9:37:53 AM UTC-8, Jordan Myers wrote: > > Hello, > > I am new to Cecil and Mono/.NET in general and I just wanted to make sure > that it would support what I'm trying to do. I would like to create a tool > that analyzes the .NET assembly to make sure that strings obtained from the > outside world (database, user-input data, etc) is passed through a certain > sanitizing function I designed. I would like to (1) detect whether the > sanitizing function is used, and (2) automatically change the assembly so > that it uses the function where it is missing. Is this possible with Cecil? > What would be the best way to accomplish this? Ideally, this would work in > the full .NET standard as well by running on a Windows platform. > > Thanks for your help, > Jordan > -- -- -- mono-cecil --- You received this message because you are subscribed to the Google Groups "mono-cecil" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
