Security Implications of InternalsVisibleTo

Nat says:

I think whenever we need to use this attribute, we should make sure that we make it internally visible to a strongly named assembly. Otherwise, this is just another crack in a pot. If we want to use it with Unit Tests, I mean that Unit Tests should be strongly named. :) Otherwise, Microsoft should make it extensible so that we can make this attribute apply only if it is a debug build. What do you think, Jamie?

I'm not sure how the current implementation works security wise. It has always been possible to do this kind of stuff using reflection. Assuming you need equivalent permissions to make these calls there isn't a problem.

Hopefully it works differently for strongly named callers. They should be able to make internal calls without unrestricted or reflection permissions.

I do like the simplicity of the current implementation. I would rather not sign my test assemblys and have to deal with strong names. I also like being able to play with the innards of 'Microsoft.Build.Engine'. ;o)

1 Comment

  • Hopefully they will give a thorough thought about this and invent a new permission name like InternalVisiblePermission :)



    Hmm... or another alternative..... make it available to NUnit tests only :)

Comments have been disabled for this content.