ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5445/csharp/rule.adoc

54 lines
2.1 KiB
Plaintext
Raw Normal View History

RULEAPI-564 fix quoted in-line code
2021-01-27 12:06:36 +01:00
Creating temporary files using insecure methods exposes the application to race conditions on filenames: a malicious user can try to create a file with a predictable name before the application does. A successful attack can result in other files being accessed, modified, corrupted or deleted. This risk is even higher if the application run with elevated permissions.
Force linebreaks
2021-02-02 15:02:10 +01:00
RULEAPI-564 fix quoted in-line code
2021-01-27 12:06:36 +01:00
In the past, it has led to the following vulnerabilities:
* https://nvd.nist.gov/vuln/detail/CVE-2014-1858[CVE-2014-1858]
* https://nvd.nist.gov/vuln/detail/CVE-2014-1932[CVE-2014-1932]
make in-line code blocks verbatim
2021-01-27 13:42:22 +01:00
``++Path.GetTempFileName()++`` generates predictable file names and is inherently unreliable and insecure. Additionally, the method will raise an ``++IOException++`` if it is used to create more than 65535 files without deleting previous temporary files.
Nightly update
2021-01-26 04:07:35 +00:00
Nightly update
2021-01-27 04:07:23 +00:00
== Recommended Secure Coding Practices
Out of the box, .NET is missing secure-by-design APIs to create temporary files. To overcome this, one of the following options can be used:
* Use a dedicated sub-folder with tightly controlled permissions
* Created temporary files in a publicly writable folder and make sure:
** Generated filename is unpredictable
** File is readable and writable only by the creating user ID
** File descriptor is not inherited by child processes
** File is destroyed as soon as it is closed
Nightly update
2021-01-26 04:07:35 +00:00
== Noncompliant Code Example
----
Fix the double-plus ++ handling in the inline-code
2021-01-27 16:55:38 +01:00
var tempPath = Path.GetTempFileName(); // Noncompliant
Nightly update
2021-01-27 04:07:23 +00:00
using (var writer = new StreamWriter(tempPath))
Nightly update
2021-01-26 04:07:35 +00:00
{
writer.WriteLine("content");
}
----
== Compliant Solution
----
var randomPath = Path.Combine(Path.GetTempPath(), Path.GetRandomFileName());
Nightly update
2021-01-27 04:07:23 +00:00
// Creates a new file with write, non inheritable permissions which is deleted on close.
using (var fileStream = new FileStream(randomPath, FileMode.CreateNew, FileAccess.Write, FileShare.None, 4096, FileOptions.DeleteOnClose))
using (var writer = new StreamWriter(fileStream))
Nightly update
2021-01-26 04:07:35 +00:00
{
writer.WriteLine("content");
}
----
include::../see.adoc[]
Export comments and rspec-to-rspec links from jira
2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction
2021-06-03 09:05:38 +02:00
ifdef::env-github,rspecator-view[]
Export comments and rspec-to-rspec links from jira
2021-06-02 20:44:38 +02:00
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
Fix the comment display: rule-id, timestamp, GH visibility, link direction
2021-06-03 09:05:38 +02:00
endif::env-github,rspecator-view[]
Reference in New Issue Copy Permalink