Thanks Kevin! I was planning to judge "obtained from the outside" by identifying usage of the System.IO <https://docs.microsoft.com/en-us/dotnet/standard/io/index> base calls. Do you think it's correct that all outside data is ultimately obtained from System.IO calls (even though it might be hidden behind various layers of abstraction)? If so, Cecil would be able to identify usage of System.IO calls from the IL assembly?
On Monday, January 8, 2018 at 10:02:31 AM UTC-8, Kevin B wrote: > > Hi Jordan, > > 1) Detection of the strings will be the really difficult part (It is > likely impossible to do generically). A few questions to consider. How do > you determine if a string was "obtained from the outside"? How do you > determine if a string was passed through your sanitizing function? Normally > to determine the answers to these questions takes a skilled programmer > examining the code, and the control flow. This is typically not something > that can be easily automated. > > 2) Modifying the assembly to force the string through a method call is > certainly do-able with Mono.Cecil. > > On Tuesday, January 2, 2018 at 9:37:53 AM UTC-8, Jordan Myers wrote: >> >> Hello, >> >> I am new to Cecil and Mono/.NET in general and I just wanted to make sure >> that it would support what I'm trying to do. I would like to create a tool >> that analyzes the .NET assembly to make sure that strings obtained from the >> outside world (database, user-input data, etc) is passed through a certain >> sanitizing function I designed. I would like to (1) detect whether the >> sanitizing function is used, and (2) automatically change the assembly so >> that it uses the function where it is missing. Is this possible with Cecil? >> What would be the best way to accomplish this? Ideally, this would work in >> the full .NET standard as well by running on a Windows platform. >> >> Thanks for your help, >> Jordan >> > -- -- -- mono-cecil --- You received this message because you are subscribed to the Google Groups "mono-cecil" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
