Create rule S7039: Content Security Policies should be restrictive (NET-24) (#4188)

2024-08-23 14:19:27 +02:00 · 2024-08-23 14:19:27 +02:00 · 54c37571c0
commit 54c37571c0
parent b2b19cb731
2 changed files with 45 additions and 0 deletions
--- a/rules/S7039/csharp/metadata.json
+++ b/rules/S7039/csharp/metadata.json
@ -0,0 +1,2 @@
+{
+}
--- a/rules/S7039/csharp/rule.adoc
+++ b/rules/S7039/csharp/rule.adoc
@ -0,0 +1,43 @@
+== Why is this an issue?
+
+include::../rationale.adoc[]
+
+include::../impact.adoc[]
+
+== How to fix it
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,csharp,diff-id=1,diff-type=noncompliant]
+----
+using System.Web;
+
+public async Task InvokeAsync(HttpContext context)
+{
+    context.Response.Headers.ContentSecurityPolicy = "script-src 'self' 'unsafe-inline';"; // Noncompliant
+}
+----
+
+==== Compliant solution
+
+[source,csharp,diff-id=1,diff-type=compliant]
+----
+using System.Web;
+
+public async Task InvokeAsync(HttpContext context)
+{
+    context.Response.Headers.ContentSecurityPolicy = "script-src 'self' 'sha256-RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc=';";
+}
+----
+
+=== How does this work?
+
+include::../common/fix/least_privilege.adoc[]
+
+== Resources
+
+include::../common/resources/docs.adoc[]
+
+include::../common/resources/standards.adoc[]