SharePoint Code Analysis Framework (SPCAF)

SPC020201: Do not update list of blocked extensions

SPC020202: Avoid setting 'AllowUnsafeUpdates' on SPWeb

SPC020203: Avoid setting 'AllowUnsafeUpdates' on SPSite

SPC020204: Do not call 'WindowsIdentity.Impersonate'

SPC020205: Do not set 'AllowEveryoneViewItems' for SPList to TRUE

SPC020206: Avoid usage of 'RunWithElevatedPrivileges'

SPC020210: Do not add PageParserPaths to web.config

SPC020220: Do not call 'HttpUtility.HtmlEncode'.

SPC020221: Do not nest calls to RunWithElevatedPrivileges

SPC020602: CAS Policy 'Maschine' with access='Administer' is not allowed

SPC020603: Policy Permission Impersonate not allowed

SPC020611: Do not define 'FileIOPermission' with 'Unrestricted=true'

SPC020612: Do not define 'RegistryPermission' with 'Unrestricted=true'

SPC020613: Do not define 'SecurityPermission' with 'Unrestricted=true'

SPC020614: Do not define 'EnvironmentPermission' with 'Unrestricted=true'

SPC020615: Do not define 'SmtpPermission' with 'Unrestricted=true'

SPC025501: Do not set 'AllowEveryoneViewItems' to TRUE in ListDefinition

SPC026901: Do not use inline code in ASPX pages

SPC026902: Add 'SharePoint:FormDigest' to ASPX page

SPC020203: Avoid setting 'AllowUnsafeUpdates' on SPSite

The assembly should not call Microsoft.SharePoint.SPSite.AllowUnsafeUpdates to run make changes to SPSite with a lower security context. Setting this property to true opens security risks, potentially introducing cross-site scripting vulnerabilities.

TypeName:	AvoidCallToAllowUnsafeUpdatesOnSPSite
CheckId:	SPC020203
Severity:	CriticalWarning
Type:	AssemblyFileReference

Resolution

Remove calls to 'Microsoft.SharePoint.SPSite.AllowUnsafeUpdates' to avoid changes with a lower security context. If you need to use it ensure to change the value back to its original state after your operations. See sample below:

Good Practice:

public void FunctionWithUnsafeOperation(SPSite site)
{
  bool allowUpdates = web.AllowUnsafeUpdates; //save original value
  try
  {
    site.AllowUnsafeUpdates = true;
    // operate on site
  }
  finally
  {
    site.AllowUnsafeUpdates = allowUpdates;
  }
}

Links

comments powered by Disqus

Copyright © 2013 RENCORE AB. All Rights Reserved

Disclaimer: The views and opinions expressed in this documentation and in SPCAF are those of the creators and do not necessarily reflect the opinions and recommendations of Microsoft or any member of Microsoft. All trademarks, service marks, collective marks, copyrights, registered names, and marks used or cited by this documentation are the property of their respective owners.

SharePoint Code Analysis Framework, Version 4.5.2.7855, see www.spcaf.com for more information