AI-generated audit finding — this issue was opened from an automated security/correctness audit. It has not been triaged by a human yet; verify the reasoning, reproducibility, and severity before acting on it.
Medium: the generator's CS-attribute validator is disabled, so malformed attributes can crash the plug-in instead of producing diagnostics
Affected code:
Description:
The project contains a dedicated validator for C#-specific Slice attributes, including checks that:
- required attributes such as
cs::type are present on custom types,
- attributes appear only on supported targets, and
- string-argument attributes have the expected number of arguments.
However, the driver currently skips this validation entirely. Later code then dereferences required attributes and argument lists as if validation had already happened. As a result, malformed inputs can fail as opaque plug-in crashes instead of clean, source-located diagnostics. Examples include:
- a custom type without
cs::type, which reaches the null-forgiving dereference in ITypeExtensions.CustomToTypeString, and
cs::identifier() or cs::type() with zero arguments, which reaches one of the unguarded Args[0] reads.
This is a robustness problem rather than a runtime vulnerability, but it meaningfully degrades diagnosability: the developer gets a generator failure instead of a useful error that points at the bad attribute.
Impact:
- Malformed Slice attributes can terminate the generator with an unhelpful exception or plug-in failure.
- The actual schema mistake is hidden behind a secondary failure in the code generator.
Recommendation:
- Re-enable
CsAttributeValidator.Validate once the surrounding slicec diagnostics path can carry these errors correctly.
- Until then, add local guards around required-attribute and
Args[0] reads so malformed input yields a deliberate diagnostic rather than a null-reference or index error.
Severity: Medium.
Source report: src-IceRpc.Slice.Generator-audit-2026-04-14.md (finding the generator's CS-attribute validator is disabled, so malformed attributes can crash the plug-in instead of producing diagnostics)
Severity (auditor-assigned): Medium
Medium: the generator's CS-attribute validator is disabled, so malformed attributes can crash the plug-in instead of producing diagnostics
Affected code:
CsAttributeValidator.Validate(symbolFiles)is commented out and replaced with an empty diagnostic listCustomTypehandling assumes[cs::type]exists and usesFindAttribute(... )!.ValueArgs[0]Description:
The project contains a dedicated validator for C#-specific Slice attributes, including checks that:
cs::typeare present on custom types,However, the driver currently skips this validation entirely. Later code then dereferences required attributes and argument lists as if validation had already happened. As a result, malformed inputs can fail as opaque plug-in crashes instead of clean, source-located diagnostics. Examples include:
cs::type, which reaches the null-forgiving dereference inITypeExtensions.CustomToTypeString, andcs::identifier()orcs::type()with zero arguments, which reaches one of the unguardedArgs[0]reads.This is a robustness problem rather than a runtime vulnerability, but it meaningfully degrades diagnosability: the developer gets a generator failure instead of a useful error that points at the bad attribute.
Impact:
Recommendation:
CsAttributeValidator.Validateonce the surroundingslicecdiagnostics path can carry these errors correctly.Args[0]reads so malformed input yields a deliberate diagnostic rather than a null-reference or index error.Severity: Medium.
Source report: src-IceRpc.Slice.Generator-audit-2026-04-14.md (finding
the generator's CS-attribute validator is disabled, so malformed attributes can crash the plug-in instead of producing diagnostics)Severity (auditor-assigned): Medium