Skip to main content

C# Enums - A bit of Extra Caution when working with Enums

Straight to a question for you.

Consider the following code, where you accept a caller key and a token request from a caller, to issue a security key for further requests? Note that we also have a minimal exclusion check, where we prevent certain callers from getting the admin permission. Now, the question. What is wrong with the code below?

public enum SecurityToken
    {
        Admin,
        Registered,
        Anon
    }

    public class SecurityGateway
    {
        public string GetSecurityKey(string callerKey,SecurityToken token)
        {

            //Prevent caller2 from getting the admin token
            if (callerKey.Equals("secretcallerkey2") 
                && token == SecurityToken.Admin)
                return "Error: You can't request an admin token";

            //Issue the token
            switch (token)
            {
                case SecurityToken.Anon:
                    return "PermissionKeyForAnonymous";
                case SecurityToken.Registered:
                    return "PermissionKeyForRegistered";
                default:
                    return "PermissionKeyForAdmin";
            }
        }
    }

If you already found the issue, you may stop reading here. Otherwise, let us examine this in a bit detail.

Assume that a caller, let us sayCaller1, is requesting a security key for leveraging admin permissions.

SecurityGateway gateway = new SecurityGateway();

            //Caller 1
            var key = gateway.GetSecurityKey("secretcallerkey1", SecurityToken.Admin);
            //key's value is PermissionKeyForAdmin for secretcallerkey1


As you may imagine, the value of key will be PermissionKeyForAdmin, as expected.

Now, the issue. As you may be aware, C# enums are implemented as integers by default, and you can cast integers to an enum type. So, if the Caller2 has some evil plans, it may do something like this.

SecurityGateway gateway = new SecurityGateway();

            //Caller 2
            var key = gateway.GetSecurityKey("secretcallerkey2", (SecurityToken)10);

            //OOps, key's value is still PermissionKeyForAdmin for secretcallerkey2, 
            //bypassing the exclusion check we've above
            


Note that I'm casting an integer to an enum, and the following exclusion check will be bypassed by Caller2, because the token's value is 10, instead of the value for SecurityToken.Admin.

//OOps, Caller2 can bypass this exclusion check

           //Prevent caller2 from getting the admin token
            if (callerKey.Equals("secretcallerkey2") 
                && token == SecurityToken.Admin)
                return "Error: You can't request an admin token";


Alright, so the point is, be a bit more careful when working with Enums in general, and also when you implement check conditions with enums.

Update: As Oleg pointed out below, an explicit check using Enum.IsDefined(..) to validate if the passed value exists in the specified enumeration is the best solution.


Happy coding, you may also love reading few more back to basic posts in this blog

Popular posts from this blog

Top 7 Coding Standards & Guideline Documents For C#/.NET Developers

Some time back, I collated a list of 7 Must Read, Free EBooks for .NET Developers, and a lot of people found it useful. So, I thought about putting together a list of Coding Standard guidelines/checklists for .NET /C# developers as well.As you may already know, it is easy to come up with a document - the key is in implementing these standards in your organization, through methods like internal trainings, Peer Reviews, Check in policies, Automated code review tools etc. You can have a look at FxCop and/or StyleCop for automating the review process to some extent, and can customize the rules based on your requirements.Anyway, here is a list of some good Coding Standard Documents. They are useful not just from a review perspective - going through these documents can definitely help you and me to iron out few hidden glitches we might have in the programming portion of our brain. So, here we go, the listing is not in any specific order.1 – IDesign C# Coding StandardsIDesign C# coding stand…

Creating a quick Todo listing app on Windows using IIS7, Node.js and Mongodb

As I mentioned in my last post, more and more organizations are leaning towards Web Oriented Architecture (WOA) which are highly scalable. If you were exploring cool, scalable options to build highly performing web applications, you know what Node.js is for.After following the recent post from Scott Hanselman, I was up and running quickly with Node.js. In this post, I’ll explain step by step how I’ve setup Node.js and Mongodb to create a simple Todo listing application.Setting up Node.jsThis is what I’ve done.1 – Goto http://nodejs.org/, scroll down and download node.exe for Windows, and place it in your c:\node folder2 – Goto IIS Node project in Git at https://github.com/tjanczuk/iisnode, download the correct ‘retail’ link of IIS Node zip file (I downloaded the already built retail package, otherwise you can download and build from the source).3 – Extract the zip file some where, and run the install.bat or install_iisexpress.bat depending on your IIS Version. If you don’t have IIS in…

5 Awesome Learning Resources For Programmers (To help you and your kids to grow the geek neurons)

Happy New Year, this is my first post in 2012. I’ll be sharing few awesome learning resources I’ve bookmarked, and will be pointing out some specific computer/programming related courses I've found interesting from these resources.Also, thought about saving this blog post for my kids as well - instead of investing in these Child education schemes (though they are too small as of today, 2 years and 60 days respectively ). Anyway, personally my new year resolution is to see as much videos from this course collections (assuming I can find some free time in between my regular job && changing my babies diapers).1 – Khan AcademyAs I mentioned some time back, you and your kids are missing some thing huge if you havn’t heard about Khan Academy.  It is an awesome learning resource, especially if you want to re-visit your basics in Math, Science etc.With a library of over 2,600 videos covering everything from arithmetic to physics, finance, and history and 268 practice exercises, th…