Application Security Testing: An Integral Part of DevOps
How to Use Reflection to Dump Objects
In this article, I will show how to write some .Net code to use a feature called "reflection" to generate a String containing values from all object fields. Please feel free to e-mail me for any comment or question regarding any detail or explanation about this source code.
First of all, what is reflection? Well, it is a set of classes defined in the namespace System.Reflection. With these classes (and mainly with static methods), at runtime, you can inspect any object without knowing its type and discover its methods, fields, properties, and constructors. Then, you can invoke these methods, read/write property (or field) values or create another object like the source one invoking the constructors.
What we are writing is a simple class named Dumper that will work in a very similar way. This is only a little sample of what is possible when you use reflection. Try to think about the other great potentials (and also to the security risks) of accessing every private field in any class not written by you (adding buttons to toolbars, changing forms layout, invoking private methods, and so on).
The following image shows the demo project output. As you can see, it is simpler than what you can see in Visual Studio, but it is quite useful if you think to implement some kind of logging in your applications. Simply, you can think to trap exceptions, display a generic error message to users, and then save detailed object data in some log file.
External Visible Interfaces
The Dumper class is the typical utility class. So, every method must be declared as static. This class must never be instantiated. For this motivation, we declare a protected empty constructor. If we don't provide a constructor, the compiler automatically adds an empty constructor invoking the Object constructor. We choose the protected modifier because we want to allow someone to inherit from our class. If the constructor is private, the class is not inheritable because there is no way for the child object to construct its father.
We provide dump features through an overloaded method called DumpObject. Mainly, it would be enough to pass it the object to dump but, seeing that an object can contain many other big objects hosting other objects and so on, it is better to also provide another version of this method where we can specify the maximum allowed nesting level.
Then, we will write some other methods basically used internally. The following image shows the Dumper class.
How the Dumper Works
Our starting point would be a class like the following one (Table 1):
1: using System;
4: namespace DumperLib
obj, int MaxLevel)
As you can see, the DumpObject version with no maximum allowed nesting level will simply call the other version with a special parameter value (-1). The other version will do the following thing:
- It instantiates a StringBuilder object used to host the partially generated dump (rows 1 and 2). This is a better solution than using a String object because every time you append something to a String, a new String object is generated and the reference to the previous object is lost. This is a memory waste.
- Check whether the object to dump is a valid reference (rows 3-9)
- Call an internal function to physically dump the object (row 7).
Everything is summarized in the following code (Table 2):
1: StringBuilder sb;
2: sb = new StringBuilder(10000);
3: if (obj == null)
The PrivDump function is shown next (Table 3):
1: protected static void PrivDump(StringBuilder sb, object obj,
8: string padstr;
10: for(int i=0;i<level;i++)
18: t = obj.GetType();
(obj.GetType().BaseType == typeof(ValueType))
30: Dumper.DumpType(padstr, sb, obj, level, t, MaxLevel);
31: Type bt;
Let's try to look at the code. Obviously, the algorithm must be recursive, so we have to insert a recursion termination check. If the object is null or if we have reached the maximum nesting level, we have to exit immediately (rows 4-7).
Then, we generate a padding string composed by many pipe symbols as the reached nesting level less one and a plus symbol (rows 8-14). This is done to build a string similar to the Visual Studio .Net tree structure. We append to the StringBuilder (rows 15-27) something composed by this padding string, the field name, the type name, and the string representation of the field (obtained calling the ToString method).
Here, we have to add another termination check. If we have a field that is a value type (in this simple class, we don't care about fields that are structs), we already have fully dumped it, so we can exit from the function (rows 28-29). In all the other cases, we have to call another internal function named DumpType. This function will retrieve every field of this object instance to make their dump (row 30).
Now, we have to print every field value for this object but from the parent class point of view. So (in rows 31-46) we obtain the base class type; if it is valid we call DumpType, passing it the same object but the parent class type.
Finally, there is the DumpType method (See Table 4).
1: protected static void DumpType(string
InitialStr, StringBuilder sb,
4: if (t == typeof(System.Delegate)) return;
5: FieldInfo fi;
8: foreach( FieldInfo f in
(obj is System.Array )
This is our class core method. The first thing we have to test is whether this field is a delegate (row 4). A delegate is a typed function pointer. Obviously, we cannot obtain a delegate value, so we have to exit immediately.
In all the other cases, we obtain fields' information by invoking the GetFields method from the type. This method returns a FieldInfo array (rows 5-7). Here, we specify that we want to retrieve every field (public, protected, private, and static).
To dump the field values (rows 8-9), we can call the PrivDump method again passing to it the field value obtained by invoking the GetValue method from a FieldInfo reference.
If the object to dump is an array (rows 10-22), we have to dump every array cell by calling the PrivDump method.
How to Test Our Work
The code to test the class is very simple. You have to call the DumpObject method by passing a valid object as in the following code fragment (Table 5).
1: Console.WriteLine(DumperLib.Dumper.DumpObject(new Form(),5));