Create rule S6776: Stack-traces should not be disclosed (#4133)

* Add csharp to rule S6776 * Add blazor content * Add Blazor * Add how to fix it in ASP.NET section * Update rules/S6776/csharp/how-to-fix-it/blazor.adoc Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Update rules/S6776/csharp/how-to-fix-it/blazor.adoc Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Remove dash --------- Co-authored-by: hendrik-buchwald-sonarsource <hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Hendrik Buchwald <hendrik.buchwald@sonarsource.com> Co-authored-by: Daniel Teuchert <daniel.teuchert@sonarsource.com> Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com> Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com>
2024-08-22 11:17:16 +02:00 · 2024-08-22 11:17:16 +02:00 · 1c2ab2361a
commit 1c2ab2361a
parent e738a460ae
7 changed files with 201 additions and 46 deletions
--- a/docs/header_names/allowed_framework_names.adoc
+++ b/docs/header_names/allowed_framework_names.adoc
@ -8,6 +8,7 @@
 * Dapper
 * BouncyCastle
 * Jwt.Net
+* Blazor
 // C-Family
 * Botan
 * CryptoPP
--- a/rules/S6776/csharp/how-to-fix-it/asp.net.adoc
+++ b/rules/S6776/csharp/how-to-fix-it/asp.net.adoc
@ -0,0 +1,56 @@
+== How to fix it in ASP.NET
+
+Implement proper error handling by reporting customized error messages that do not contain a detailed stack trace. Log the exception stack trace if needed.
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,csharp,diff-id=1,diff-type=noncompliant]
+----
+[ApiController]
+[Route("/")]
+public class StacktraceController : ControllerBase
+{
+    [HttpGet("Exception")]
+    public string ExceptionEndpoint()
+    {
+        try {
+            throw new InvalidOperationException(ExceptionMessage);
+        }
+        catch (Exception ex) {
+            return ex.StackTrace; // Noncompliant
+        }
+        return "Ok";
+    }
+}
+----
+
+==== Compliant solution
+
+[source,csharp,diff-id=1,diff-type=compliant]
+----
+[ApiController]
+[Route("/")]
+public class StacktraceController : ControllerBase
+{
+    private readonly ILogger<StacktraceController> Logger;
+
+    public StacktraceController(ILogger<StacktraceController> logger)
+    {
+        Logger = logger;
+    }
+
+    [HttpGet("Exception")]
+    public string ExceptionEndpoint()
+    {
+        try {
+            throw new InvalidOperationException(ExceptionMessage);
+        }
+        catch (Exception ex) {
+            Logger.LogError(ex.StackTrace);
+        }
+        return "Ok";
+    }
+}
+----
--- a/rules/S6776/csharp/how-to-fix-it/blazor.adoc
+++ b/rules/S6776/csharp/how-to-fix-it/blazor.adoc
@ -0,0 +1,55 @@
+== How to fix it in Blazor
+
+Implement proper error handling by reporting customized error messages that do not contain a detailed stack trace. Log the exception stack trace if needed.
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,csharp,diff-id=2,diff-type=noncompliant]
+----
+@page "/"
+
+<p>@Content</p>  <!-- Noncompliant -->
+
+@code {
+    private String Content = "";
+
+    protected override void OnInitialized()
+    {
+        try
+        {
+            throw new InvalidOperationException("");
+        }
+        catch (Exception ex)
+        {
+            Content = ex.StackTrace;
+        }
+    }
+}
+----
+
+==== Compliant solution
+
+[source,csharp,diff-id=2,diff-type=compliant]
+----
+@page "/"
+@using Microsoft.Extensions.Logging
+@inject ILogger<Example> Logger
+
+<p>Internal Server Error</p>
+
+@code {
+    protected override void OnInitialized()
+    {
+        try
+        {
+            throw new InvalidOperationException("");
+        }
+        catch (Exception ex)
+        {
+            Logger.LogError(ex.StackTrace);
+        }
+    }
+}
+----
--- a/rules/S6776/csharp/metadata.json
+++ b/rules/S6776/csharp/metadata.json
@ -0,0 +1,2 @@
+{
+}
--- a/rules/S6776/csharp/rule.adoc
+++ b/rules/S6776/csharp/rule.adoc
@ -0,0 +1,41 @@
+Exception stack traces contain sensitive data that the application's code should
+not disclose as error messages. 
+
+== Why is this an issue?
+
+Stack traces contain sensitive data like filenames or folder hierarchies. 
+They can expose implementation details, including the application's
+architecture, logic, and potential vulnerabilities. Attackers can leverage these
+valuable insights to identify weaknesses, devise attack strategies, and exploit
+vulnerabilities.
+
+// How to fix it section
+
+include::how-to-fix-it/asp.net.adoc[]
+
+include::how-to-fix-it/blazor.adoc[]
+
+== Resources
+
+=== Standards
+
+* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
+* OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] 
+* CWE - https://cwe.mitre.org/data/definitions/209[CWE-209 - Generation of Error Message Containing Sensitive Information]
+* CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code] 
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222610[Application Security and Development: V-222610] - The application must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
+
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+=== Message
+
+Source: this invocation returns a stack trace.
+Sink: this invocation outputs sensitive content to the HTTP response.
+
+
+endif::env-github,rspecator-view[]
--- a/rules/S6776/metadata.json
+++ b/rules/S6776/metadata.json
@ -1,2 +1,48 @@
 {
+  "title": "Stack traces should not be disclosed",
+  "type": "VULNERABILITY",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-6776",
+  "sqKey": "S6776",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      489,
+      209
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "OWASP Top 10 2021": [
+      "A4"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "14.3.1",
+      "14.3.2"
+    ],
+    "STIG ASD_V5R3": [
+      "V-222610"
+    ]
+  },
+  "defaultQualityProfiles": ["Sonar way"],
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "SECURITY": "LOW"
+    },
+    "attribute": "COMPLETE"
+  }
 }
--- a/rules/S6776/python/metadata.json
+++ b/rules/S6776/python/metadata.json
@ -1,48 +1,2 @@
 {
-  "title": "Stack-traces should not be disclosed",
-  "type": "VULNERABILITY",
-  "status": "ready",
-  "remediation": {
-    "func": "Constant\/Issue",
-    "constantCost": "30min"
-  },
-  "tags": [
-  ],
-  "defaultSeverity": "Major",
-  "ruleSpecification": "RSPEC-6776",
-  "sqKey": "S6776",
-  "scope": "All",
-  "securityStandards": {
-    "CWE": [
-      489,
-      209
-    ],
-    "OWASP": [
-      "A3"
-    ],
-    "OWASP Top 10 2021": [
-      "A4"
-    ],
-    "PCI DSS 3.2": [
-      "6.5.10"
-    ],
-    "PCI DSS 4.0": [
-      "6.2.4"
-    ],
-    "ASVS 4.0": [
-      "14.3.1",
-      "14.3.2"
-    ],
-    "STIG ASD_V5R3": [
-      "V-222610"
-    ]
-  },
-  "defaultQualityProfiles": ["Sonar way"],
-  "quickfix": "unknown",
-  "code": {
-    "impacts": {
-      "SECURITY": "LOW"
-    },
-    "attribute": "COMPLETE"
-  }
 }