rspec/rules/S4529/vbnet/rule.adoc

Exposing HTTP endpoints is security-sensitive. It has led in the past to the following vulnerabilities:

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3072[CVE-2016-3072]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3175[CVE-2015-3175]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0218[CVE-2003-0218]

HTTP endpoints are webservices' main entrypoint. Attackers will take advantage of any vulnerability by sending crafted inputs for headers (including cookies), body and URI. No input should be trusted and extreme care should be taken with all returned value (header, body and status code).


This rule flags code which creates HTTP endpoint via .Net Framework MVC Controllers.  It guides security code reviews to security-sensitive code.

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

----
Public Class Foo
    Inherits System.Web.Mvc.Controller

    Public Property MyProperty As String
        Get
            Return "test"
        End Get
        Set(ByVal value As String)
        End Set
    End Property

    Public Sub New()
    End Sub

    Public Sub PublicFoo() ' Sensitive. Public Controller methods are exposed as HTTP endpoints.
    End Sub

    <System.Web.Mvc.NonAction>
    Public Sub NotAnEndpoint() ' This is not an endpoint because of the NonAction attribute.
    End Sub

    Protected Sub ProtectedFoo()
    End Sub

    Friend Sub InternalFoo()
    End Sub

    Private Sub PrivateFoo()
    End Sub

    Private Class Bar
        Inherits System.Web.Mvc.Controller

        Public Sub InnerFoo()
        End Sub
    End Class
End Class
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`Exposing HTTP endpoints is security-sensitive. It has led in the past to the following vulnerabilities:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3072[CVE-2016-3072]`
			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3175[CVE-2015-3175]`
			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0218[CVE-2003-0218]`

			`HTTP endpoints are webservices' main entrypoint. Attackers will take advantage of any vulnerability by sending crafted inputs for headers (including cookies), body and URI. No input should be trusted and extreme care should be taken with all returned value (header, body and status code).`

Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`This rule flags code which creates HTTP endpoint via .Net Framework MVC Controllers. It guides security code reviews to security-sensitive code.`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`----`
			`Public Class Foo`
			`Inherits System.Web.Mvc.Controller`

			`Public Property MyProperty As String`
			`Get`
			`Return "test"`
			`End Get`
			`Set(ByVal value As String)`
			`End Set`
			`End Property`

			`Public Sub New()`
			`End Sub`

			`Public Sub PublicFoo() ' Sensitive. Public Controller methods are exposed as HTTP endpoints.`
			`End Sub`

			`<System.Web.Mvc.NonAction>`
			`Public Sub NotAnEndpoint() ' This is not an endpoint because of the NonAction attribute.`
			`End Sub`

			`Protected Sub ProtectedFoo()`
			`End Sub`

			`Friend Sub InternalFoo()`
			`End Sub`

			`Private Sub PrivateFoo()`
			`End Sub`

			`Private Class Bar`
			`Inherits System.Web.Mvc.Controller`

			`Public Sub InnerFoo()`
			`End Sub`
			`End Class`
			`End Class`
			`----`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::../comments-and-links.adoc[]`
Make sure that includes are always surrounded by empty lines (#2270) When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again. 2023-06-22 10:38:01 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`