Skip to main content

C# Enums - A bit of Extra Caution when working with Enums

Straight to a question for you.

Consider the following code, where you accept a caller key and a token request from a caller, to issue a security key for further requests? Note that we also have a minimal exclusion check, where we prevent certain callers from getting the admin permission. Now, the question. What is wrong with the code below?

public enum SecurityToken
    {
        Admin,
        Registered,
        Anon
    }

    public class SecurityGateway
    {
        public string GetSecurityKey(string callerKey,SecurityToken token)
        {

            //Prevent caller2 from getting the admin token
            if (callerKey.Equals("secretcallerkey2") 
                && token == SecurityToken.Admin)
                return "Error: You can't request an admin token";

            //Issue the token
            switch (token)
            {
                case SecurityToken.Anon:
                    return "PermissionKeyForAnonymous";
                case SecurityToken.Registered:
                    return "PermissionKeyForRegistered";
                default:
                    return "PermissionKeyForAdmin";
            }
        }
    }

If you already found the issue, you may stop reading here. Otherwise, let us examine this in a bit detail.

Assume that a caller, let us sayCaller1, is requesting a security key for leveraging admin permissions.

SecurityGateway gateway = new SecurityGateway();

            //Caller 1
            var key = gateway.GetSecurityKey("secretcallerkey1", SecurityToken.Admin);
            //key's value is PermissionKeyForAdmin for secretcallerkey1


As you may imagine, the value of key will be PermissionKeyForAdmin, as expected.

Now, the issue. As you may be aware, C# enums are implemented as integers by default, and you can cast integers to an enum type. So, if the Caller2 has some evil plans, it may do something like this.

SecurityGateway gateway = new SecurityGateway();

            //Caller 2
            var key = gateway.GetSecurityKey("secretcallerkey2", (SecurityToken)10);

            //OOps, key's value is still PermissionKeyForAdmin for secretcallerkey2, 
            //bypassing the exclusion check we've above
            


Note that I'm casting an integer to an enum, and the following exclusion check will be bypassed by Caller2, because the token's value is 10, instead of the value for SecurityToken.Admin.

//OOps, Caller2 can bypass this exclusion check

           //Prevent caller2 from getting the admin token
            if (callerKey.Equals("secretcallerkey2") 
                && token == SecurityToken.Admin)
                return "Error: You can't request an admin token";


Alright, so the point is, be a bit more careful when working with Enums in general, and also when you implement check conditions with enums.

Update: As Oleg pointed out below, an explicit check using Enum.IsDefined(..) to validate if the passed value exists in the specified enumeration is the best solution.


Happy coding, you may also love reading few more back to basic posts in this blog

Popular posts from this blog

Top 7 Coding Standards & Guideline Documents For C#/.NET Developers

Some time back, I collated a list of 7 Must Read, Free EBooks for .NET Developers, and a lot of people found it useful. So, I thought about putting together a list of Coding Standard guidelines/checklists for .NET /C# developers as well.As you may already know, it is easy to come up with a document - the key is in implementing these standards in your organization, through methods like internal trainings, Peer Reviews, Check in policies, Automated code review tools etc. You can have a look at FxCop and/or StyleCop for automating the review process to some extent, and can customize the rules based on your requirements.Anyway, here is a list of some good Coding Standard Documents. They are useful not just from a review perspective - going through these documents can definitely help you and me to iron out few hidden glitches we might have in the programming portion of our brain. So, here we go, the listing is not in any specific order.1 – IDesign C# Coding StandardsIDesign C# coding stand…

Hack Raspberry Pi – How To Build Apps In C#, WinForms and ASP.NET Using Mono In Pi

Recently I was doing a bit of R&D related to finding a viable, low cost platform for client nodes. Obviously, I came across Raspberry Pi, and found the same extremely interesting. Now, the missing piece of the puzzle was how to get going using C# and .NET in the Pi. C# is a great language, and there are a lot of C# developers out there in the wild who are interested in the Pi.In this article, I’ll just document my findings so far, and will explain how develop using C# leveraging Mono in a Raspberry Pi. Also, we’ll see how to write few minimal Windows Forms & ASP.NET applications in the Pie as well.Step 1: What is Raspberry Pi?Raspberry Pi is an ARM/Linux box for just ~ $30. It was introduced with a vision to teach basic computer science in schools. How ever, it got a lot of attention from hackers all around the world, as it is an awesome low cost platform to hack and experiment cool ideas as Pi is almost a full fledged computer.  More About R-Pi From Wikipedia.The Raspberry Pi

5 Awesome Learning Resources For Programmers (To help you and your kids to grow the geek neurons)

Happy New Year, this is my first post in 2012. I’ll be sharing few awesome learning resources I’ve bookmarked, and will be pointing out some specific computer/programming related courses I've found interesting from these resources.Also, thought about saving this blog post for my kids as well - instead of investing in these Child education schemes (though they are too small as of today, 2 years and 60 days respectively ). Anyway, personally my new year resolution is to see as much videos from this course collections (assuming I can find some free time in between my regular job && changing my babies diapers).1 – Khan AcademyAs I mentioned some time back, you and your kids are missing some thing huge if you havn’t heard about Khan Academy.  It is an awesome learning resource, especially if you want to re-visit your basics in Math, Science etc.With a library of over 2,600 videos covering everything from arithmetic to physics, finance, and history and 268 practice exercises, th…