AI-generated audit finding — this issue was opened from an automated security/correctness audit. It has not been triaged by a human yet; verify the reasoning, reproducibility, and severity before acting on it.
Medium: CsAttributeValidator.Validate is called-through a disabled branch, so no CS-attribute validation runs
Affected code:
Description:
The validator class exists and is non-trivial: it knows the target restrictions for cs::attribute, cs::encodedReturn, cs::identifier, cs::public, cs::readonly, and cs::type, and it rejects unknown cs:: directives outright. None of that runs in the current generator pipeline. The call-site in GeneratorDriver.RunCore is commented out, and the comment says validation was removed because slicec isn't yet forwarding generator diagnostics correctly.
Consequences:
cs::type on an unrelated target (e.g. an enumerator) reaches the code generator, which either silently ignores it or splices it into an unexpected position.cs::attribute with zero arguments — which Validate would reject — reaches AddCSAttributes at BuilderExtensions.cs:37 and throws an ArgumentOutOfRangeException from Args[0].- Unknown
cs:: directives (typos, future attributes) are silently accepted.
Every downstream Medium finding in this audit is much worse while the validator is disabled, because even the basic safety net — "you can't put cs::attribute on a struct" — doesn't exist.
Impact:
- The documented CS-attribute model is unenforced.
- Build errors surface as opaque generator crashes instead of actionable diagnostics.
- Malicious inputs and honest mistakes are treated the same: they reach the code emitter.
Recommendation:
- Fix the upstream
slicec diagnostic-forwarding issue referenced in the TODO and turn validation back on. If that isn't possible short-term, at minimum emit the diagnostics through stderr so a human sees them.
- Add an integration test that asserts the validator is reached during normal compilation.
Severity: Medium.
Source report: src-ZeroC.Slice.Generator-audit-2026-04-14.md (finding ``CsAttributeValidator.Validate is called-through a disabled branch, so no CS-attribute validation runs)
Severity (auditor-assigned): Medium
Medium:
CsAttributeValidator.Validateis called-through a disabled branch, so no CS-attribute validation runsAffected code:
Validatecall is commented out behind aTODO: enable validation once slicec correctly handles the diagnostics reported by the generators., anddiagnosticsis initialized to an empty listValidateis fully implemented and would reject mis-targeted CS attributes, wrong argument counts, and unknowncs::directives if invokedDescription:
The validator class exists and is non-trivial: it knows the target restrictions for
cs::attribute,cs::encodedReturn,cs::identifier,cs::public,cs::readonly, andcs::type, and it rejects unknowncs::directives outright. None of that runs in the current generator pipeline. The call-site inGeneratorDriver.RunCoreis commented out, and the comment says validation was removed becauseslicecisn't yet forwarding generator diagnostics correctly.Consequences:
cs::typeon an unrelated target (e.g. an enumerator) reaches the code generator, which either silently ignores it or splices it into an unexpected position.cs::attributewith zero arguments — whichValidatewould reject — reachesAddCSAttributesat BuilderExtensions.cs:37 and throws anArgumentOutOfRangeExceptionfromArgs[0].cs::directives (typos, future attributes) are silently accepted.Every downstream Medium finding in this audit is much worse while the validator is disabled, because even the basic safety net — "you can't put
cs::attributeon a struct" — doesn't exist.Impact:
Recommendation:
slicecdiagnostic-forwarding issue referenced in the TODO and turn validation back on. If that isn't possible short-term, at minimum emit the diagnostics throughstderrso a human sees them.Severity: Medium.
Source report: src-ZeroC.Slice.Generator-audit-2026-04-14.md (finding ``CsAttributeValidator.Validate
is called-through a disabled branch, so no CS-attribute validation runs)Severity (auditor-assigned): Medium