Skip to main content

C# Enums - A bit of Extra Caution when working with Enums

Straight to a question for you.

Consider the following code, where you accept a caller key and a token request from a caller, to issue a security key for further requests? Note that we also have a minimal exclusion check, where we prevent certain callers from getting the admin permission. Now, the question. What is wrong with the code below?

public enum SecurityToken

    public class SecurityGateway
        public string GetSecurityKey(string callerKey,SecurityToken token)

            //Prevent caller2 from getting the admin token
            if (callerKey.Equals("secretcallerkey2") 
                && token == SecurityToken.Admin)
                return "Error: You can't request an admin token";

            //Issue the token
            switch (token)
                case SecurityToken.Anon:
                    return "PermissionKeyForAnonymous";
                case SecurityToken.Registered:
                    return "PermissionKeyForRegistered";
                    return "PermissionKeyForAdmin";

If you already found the issue, you may stop reading here. Otherwise, let us examine this in a bit detail.

Assume that a caller, let us sayCaller1, is requesting a security key for leveraging admin permissions.

SecurityGateway gateway = new SecurityGateway();

            //Caller 1
            var key = gateway.GetSecurityKey("secretcallerkey1", SecurityToken.Admin);
            //key's value is PermissionKeyForAdmin for secretcallerkey1

As you may imagine, the value of key will be PermissionKeyForAdmin, as expected.

Now, the issue. As you may be aware, C# enums are implemented as integers by default, and you can cast integers to an enum type. So, if the Caller2 has some evil plans, it may do something like this.

SecurityGateway gateway = new SecurityGateway();

            //Caller 2
            var key = gateway.GetSecurityKey("secretcallerkey2", (SecurityToken)10);

            //OOps, key's value is still PermissionKeyForAdmin for secretcallerkey2, 
            //bypassing the exclusion check we've above

Note that I'm casting an integer to an enum, and the following exclusion check will be bypassed by Caller2, because the token's value is 10, instead of the value for SecurityToken.Admin.

//OOps, Caller2 can bypass this exclusion check

           //Prevent caller2 from getting the admin token
            if (callerKey.Equals("secretcallerkey2") 
                && token == SecurityToken.Admin)
                return "Error: You can't request an admin token";

Alright, so the point is, be a bit more careful when working with Enums in general, and also when you implement check conditions with enums.

Update: As Oleg pointed out below, an explicit check using Enum.IsDefined(..) to validate if the passed value exists in the specified enumeration is the best solution.

Happy coding, you may also love reading few more back to basic posts in this blog

Popular posts from this blog

MVVM - Binding Multiple Radio Buttons To a single Enum Property in WPF

I had a property in my View Model, of an Enum type, and wanted to bind multiple radio buttons to this.

Firstly, I wrote a simple Enum to Bool converter, like this.

public class EnumToBoolConverter : IValueConverter { #region IValueConverter Members public object Convert(object value, Type targetType, object parameter, System.Globalization.CultureInfo culture) { if (parameter.Equals(value)) return true; else return false; } public object ConvertBack(object value, Type targetType, object parameter, System.Globalization.CultureInfo culture) { return parameter; } #endregion }

And my enumeration is like

public enum CompanyTypes { Type1Comp, Type2Comp, Type3Comp } Now, in my XAML, I provided the enumeration as the ConverterParameter, of the Converter we wrote earlier, like

Creating a quick Todo listing app on Windows using IIS7, Node.js and Mongodb

As I mentioned in my last post, more and more organizations are leaning towards Web Oriented Architecture (WOA) which are highly scalable. If you were exploring cool, scalable options to build highly performing web applications, you know what Node.js is for.After following the recent post from Scott Hanselman, I was up and running quickly with Node.js. In this post, I’ll explain step by step how I’ve setup Node.js and Mongodb to create a simple Todo listing application.Setting up Node.jsThis is what I’ve done.1 – Goto, scroll down and download node.exe for Windows, and place it in your c:\node folder2 – Goto IIS Node project in Git at, download the correct ‘retail’ link of IIS Node zip file (I downloaded the already built retail package, otherwise you can download and build from the source).3 – Extract the zip file some where, and run the install.bat or install_iisexpress.bat depending on your IIS Version. If you don’t have IIS in…

Top 7 Coding Standards & Guideline Documents For C#/.NET Developers

Some time back, I collated a list of 7 Must Read, Free EBooks for .NET Developers, and a lot of people found it useful. So, I thought about putting together a list of Coding Standard guidelines/checklists for .NET /C# developers as well.As you may already know, it is easy to come up with a document - the key is in implementing these standards in your organization, through methods like internal trainings, Peer Reviews, Check in policies, Automated code review tools etc. You can have a look at FxCop and/or StyleCop for automating the review process to some extent, and can customize the rules based on your requirements.Anyway, here is a list of some good Coding Standard Documents. They are useful not just from a review perspective - going through these documents can definitely help you and me to iron out few hidden glitches we might have in the programming portion of our brain. So, here we go, the listing is not in any specific order.1 – IDesign C# Coding StandardsIDesign C# coding stand…