rspec/rules/S4834/vbnet/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

----
Imports System.Threading
Imports System.Security.Permissions
Imports System.Security.Principal
Imports System.IdentityModel.Tokens

Class SecurityPrincipalDemo
    Class MyIdentity
        Implements IIdentity ' Sensitive, custom IIdentity implementations should be reviewed
    End Class

    Class MyPrincipal
        Implements IPrincipal ' Sensitive, custom IPrincipal implementations should be reviewed
    End Class

    <System.Security.Permissions.PrincipalPermission(SecurityAction.Demand, Role:="Administrators")> ' Sensitive. The access restrictions enforced by this attribute should be reviewed.
    Private Shared Sub CheckAdministrator()
        Dim MyIdentity As WindowsIdentity = WindowsIdentity.GetCurrent() ' Sensitive

        HttpContext.User = ... ' Sensitive: review all reference (set and get) to System.Web HttpContext.User

        Dim domain As AppDomain = AppDomain.CurrentDomain
        domain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal) ' Sensitive

        Dim identity As MyIdentity = New MyIdentity() ' Sensitive
        Dim MyPrincipal As MyPrincipal = New MyPrincipal(MyIdentity) ' Sensitive
        Thread.CurrentPrincipal = MyPrincipal ' Sensitive
        domain.SetThreadPrincipal(MyPrincipal) ' Sensitive

        Dim principalPerm As PrincipalPermission = New PrincipalPermission(Nothing, "Administrators")  ' Sensitive
        principalPerm.Demand()

        Dim handler As SecurityTokenHandler = ...
        Dim identities As ReadOnlyCollection(Of ClaimsIdentity) = handler.ValidateToken()  ' Sensitive, this creates identity
    End Sub

    ' Sensitive: review how this function uses the identity and principal.
    Private Sub modifyPrincipal(ByVal identity As MyIdentity, ByVal principal As MyPrincipal)
    End Sub
End Class
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

endif::env-github,rspecator-view[]
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`----`
			`Imports System.Threading`
			`Imports System.Security.Permissions`
			`Imports System.Security.Principal`
			`Imports System.IdentityModel.Tokens`

			`Class SecurityPrincipalDemo`
			`Class MyIdentity`
			`Implements IIdentity ' Sensitive, custom IIdentity implementations should be reviewed`
			`End Class`

			`Class MyPrincipal`
			`Implements IPrincipal ' Sensitive, custom IPrincipal implementations should be reviewed`
			`End Class`

			`<System.Security.Permissions.PrincipalPermission(SecurityAction.Demand, Role:="Administrators")> ' Sensitive. The access restrictions enforced by this attribute should be reviewed.`
			`Private Shared Sub CheckAdministrator()`
			`Dim MyIdentity As WindowsIdentity = WindowsIdentity.GetCurrent() ' Sensitive`

			`HttpContext.User = ... ' Sensitive: review all reference (set and get) to System.Web HttpContext.User`

			`Dim domain As AppDomain = AppDomain.CurrentDomain`
			`domain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal) ' Sensitive`

			`Dim identity As MyIdentity = New MyIdentity() ' Sensitive`
			`Dim MyPrincipal As MyPrincipal = New MyPrincipal(MyIdentity) ' Sensitive`
			`Thread.CurrentPrincipal = MyPrincipal ' Sensitive`
			`domain.SetThreadPrincipal(MyPrincipal) ' Sensitive`

			`Dim principalPerm As PrincipalPermission = New PrincipalPermission(Nothing, "Administrators") ' Sensitive`
			`principalPerm.Demand()`

			`Dim handler As SecurityTokenHandler = ...`
			`Dim identities As ReadOnlyCollection(Of ClaimsIdentity) = handler.ValidateToken() ' Sensitive, this creates identity`
			`End Sub`

			`' Sensitive: review how this function uses the identity and principal.`
			`Private Sub modifyPrincipal(ByVal identity As MyIdentity, ByVal principal As MyPrincipal)`
			`End Sub`
			`End Class`
			`----`

			`include::../see.adoc[]`
Make sure that includes are always surrounded by empty lines (#2270) When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again. 2023-06-22 10:38:01 +02:00
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

			`endif::env-github,rspecator-view[]`