rspec/rules/S4507/csharp/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

== Recommended Secure Coding Practices

Do not enable debug features on production servers.


The .Net Core framework offers multiple features which help during debug. ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage++`` and ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage++`` are two of them. Make sure that those features are disabled in production.

 Use ``++if (env.IsDevelopment())++`` to disable debug code.

== Sensitive Code Example

This rule raises issues when the following .Net Core methods are called: ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage++``, ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage++``. 

----
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;

namespace mvcApp
{
    public class Startup2
    {
        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {
            // Those calls are Sensitive because it seems that they will run in production
            app.UseDeveloperExceptionPage(); // Sensitive
            app.UseDatabaseErrorPage(); // Sensitive
        }
    }
}

----

== Compliant Solution

----
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;

namespace mvcApp
{
    public class Startup2
    {
        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {
            if (env.IsDevelopment())
            {
                // The following calls are ok because they are disabled in production
                app.UseDeveloperExceptionPage(); // Compliant
                app.UseDatabaseErrorPage(); // Compliant
            }
        }
    }
}

----

== Exceptions

This rule does not analyze configuration files. Make sure that debug mode is not enabled by default in those files.

include::../see.adoc[]