Enterprise Library Test Guide - Willy .Net
Enterprise Library Test Guide - Willy .Net
Enterprise Library Test Guide - Willy .Net
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Test</strong>ing for Security Best Practices 139<br />
Threat 9<br />
Investigative<br />
notes<br />
Attackers can flood WMI event instrumentation with false events.<br />
The following code examples show how the application block should first<br />
validate the input to the Logger.Write method before it raises an event.<br />
public static void Write(object message, ICollection<br />
categories, int priority, int eventId, TraceEventType severity,<br />
string title, IDictionary properties)<br />
{<br />
LogEntry log = new LogEntry();<br />
//input validation should have been done here for message<br />
log.Message = message.ToString();<br />
log.Categories = categories;<br />
log.Priority = priority;<br />
log.EventId = eventId;<br />
log.Severity = severity;<br />
log.Title = title;<br />
log.ExtendedProperties = properties;<br />
Write(log);<br />
}<br />
The following examples show other places that require input validation.<br />
Logger.Write(object,..) for message<br />
SoapLogFormatter. DeserializeLogEntry(string) for serialized-<br />
LogEntry<br />
ContextItems.ProcessContextItems(LogEntry) for log<br />
LoggingSettings.GetLoggingSettings(IConfigurationSource) for<br />
configurationSource<br />
ComPlusInformationProvider.PopulateDictionary(IDictionary) for<br />
dict<br />
DebugInformationProvider.PopulateDictionary(IDictionary) for<br />
dict<br />
ManagedSecurityContextInformationProvider.PopulateDictionary(I<br />
Dictionary) for dict<br />
UnmanagedSecurityContextInformationProvider.PopulateDictionary<br />
(IDictionary) for dict<br />
DebugUtils.GetStackTraceWithSourceInfo(StackTrace) for stack-<br />
Trace<br />
PriorityFilter.Filter(LogEntry) for log<br />
DictionaryToken.FormatToken(String, LogEntry) for log<br />
KeyValueToken.FormatToken(String, LogEntry) for log<br />
TimeStampToken.FormatToken(String, LogEntry) for log<br />
TokenFunction.Format(StringBuilder, LogEntry) for message-<br />
Builder<br />
FormatterDatabaseTraceListener.ValidateParameters(LogEntry)<br />
for logEntry<br />
MsmqListener.MsmqListener(DistributorService, Int32, String)<br />
for distributorService<br />
MsmqDistributorSettings.GetSettings(IConfigurationSource) for<br />
configurationSource