I was looking at my SonarQube static code analysis and came across a report that says using a SafeTokenHandle DangerousGetHandle method call.
I start by declaring a SafeTokenHandle:
SafeTokenHandle safeTokenHandle;
var returnValue = Logon(safeTokenHandle);
Check it's return value to my logon method.
if (false == returnValue)
{
//stuff
}
Use a basic "using" which I log the value of the SafeTokenValue:
using (safeTokenHandle)
{
Console.WriteLine("Did LogonUser Succeed? " + "Yes");
Console.WriteLine("Value of Windows NT token: " + safeTokenHandle);
Then I have another using which sets a new WindowsItentity using the "DangerousGetHandle" method:
using (var newId = new WindowsIdentity(safeTokenHandle.DangerousGetHandle()))
Is there any way to go ahead and get that information without using the "DangerousGetHandle" method, or do I just need to accept the risk on this?
Microsoft Says: "DangerousGetHandle method can pose security risks" primarily due to the reference becoming stale which can lead to it accessing sensative information.
It looks like using the DangerousAddRef and DangerousRelease is Microsoft's advice, but those also seem to come with risks. Any direction would be helpful.