rspec/rules/S2255/csharp/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

----
// === .Net Framework ===

HttpCookie myCookie = new HttpCookie("UserSettings");
myCookie["CreditCardNumber"] = "1234 1234 1234 1234"; // Sensitive; sensitive data stored
myCookie.Values["password"] = "5678"; // Sensitive
myCookie.Value = "mysecret"; // Sensitive
...
Response.Cookies.Add(myCookie);


// === .Net Core ===

Response.Headers.Add("Set-Cookie", ...); // Sensitive
Response.Cookies.Append("mykey", "myValue"); // Sensitive
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

=== on 16 Oct 2018, 18:39:51 Nicolas Harraudeau wrote:
*Implementation details*:

*In .Net core*, -any reference to ``++Microsoft.AspNetCore.Http.HttpRequest.Cookies++`` should create an issue. It is a ``++IEnumerable++`` and it is not worth highlighting every manipulation method this class has. There is no "Cookie" Type in .Net Core, they are instead processed as strings.-

The ``++Request++`` object is just a reference to the ``++HttpRequest++`` of the current request.

Regarding ``++Microsoft.AspNetCore.Http.HttpResonse.Cookies++``, only the ``++Append++`` method should raise an issue as the ``++Delete++`` one is not security-sensitive (no risk of injection).

The ``++Response++`` object is just a reference to the ``++HttpResponse++`` of the current request.

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`----`
			`// === .Net Framework ===`

			`HttpCookie myCookie = new HttpCookie("UserSettings");`
			`myCookie["CreditCardNumber"] = "1234 1234 1234 1234"; // Sensitive; sensitive data stored`
			`myCookie.Values["password"] = "5678"; // Sensitive`
			`myCookie.Value = "mysecret"; // Sensitive`
			`...`
			`Response.Cookies.Add(myCookie);`


			`// === .Net Core ===`

			`Response.Headers.Add("Set-Cookie", ...); // Sensitive`
			`Response.Cookies.Append("mykey", "myValue"); // Sensitive`
			`----`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 16 Oct 2018, 18:39:51 Nicolas Harraudeau wrote:`
			`Implementation details:`

			In .Net core, -any reference to ``++Microsoft.AspNetCore.Http.HttpRequest.Cookies++`` should create an issue. It is a ``++IEnumerable++`` and it is not worth highlighting every manipulation method this class has. There is no "Cookie" Type in .Net Core, they are instead processed as strings.-

			The ``++Request++`` object is just a reference to the ``++HttpRequest++`` of the current request.

			Regarding ``++Microsoft.AspNetCore.Http.HttpResonse.Cookies++``, only the ``++Append++`` method should raise an issue as the ``++Delete++`` one is not security-sensitive (no risk of injection).

			The ``++Response++`` object is just a reference to the ``++HttpResponse++`` of the current request.

			`include::../comments-and-links.adoc[]`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`