0

I am using a tool (Fortify), which is detecting a vulnerability in the following block of code:

For Each member As Object In CType(members, IEnumerable)
    Using x As DirectoryEntry = New DirectoryEntry(member)
         Dim name As String = x.Name
         If name <> deUser.Name Then
             isGroupMember = False
         Else
             isGroupMember = True
             Exit For
         End If
    End Using
Next member

It mentions that fails to release an LDAP resource (var X), due to the "Exit For".

As far as I know, statement "using" dispose the object although don't execute all the block code. Is that right? Or should it be done differently?

I Think is maybe a false-positive issue.

securecodeninja
  • 2,497
  • 3
  • 16
  • 22
Luis Jasso
  • 3
  • 1
  • 3
  • According to [the documentation](https://docs.microsoft.com/en-us/dotnet/visual-basic/language-reference/statements/using-statement), *"Sometimes your code requires an unmanaged resource, such as a file handle, a COM wrapper, or a SQL connection. **A Using block guarantees the disposal of one or more such resources** when your code is finished with them."* and *"You do not need a Using block for managed resources. However, you can still use a Using block to force the disposal of a managed resource instead of waiting for the garbage collector."* So I don't think you need to worry about it. – Rufus L Sep 26 '20 at 00:10
  • Are you asking if exiting the `for` loop also exits the `using` block? (it does). The question is a little unclear on that point. – Rufus L Sep 26 '20 at 00:13
  • 1
    It looks like a false positive to me. Fortify does that sometimes – Flydog57 Sep 26 '20 at 00:19
  • @RufusL the question is since there is not reaching the "End Using", the object X is released? I think that yes, but the issue mentioned by the tool caused me some noise. – Luis Jasso Sep 26 '20 at 00:20
  • Ok, thanks for clarification. Marking as duplicate... – Rufus L Sep 26 '20 at 00:23

0 Answers0