ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S4787/csharp/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

98 lines
3.5 KiB
Plaintext
Raw Permalink Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
----
using System;
using System.Security.Cryptography;
namespace MyNamespace
{
public class MyClass
{
public void Main()
{
Byte[] data = {1,1,1};
RSA myRSA = RSA.Create();
RSAEncryptionPadding padding = RSAEncryptionPadding.CreateOaep(HashAlgorithmName.SHA1);
// Review all base RSA class' Encrypt/Decrypt calls
myRSA.Encrypt(data, padding); // Sensitive
myRSA.EncryptValue(data); // Sensitive
myRSA.Decrypt(data, padding); // Sensitive
myRSA.DecryptValue(data); // Sensitive
RSACryptoServiceProvider myRSAC = new RSACryptoServiceProvider();
// Review the use of any TryEncrypt/TryDecrypt and specific Encrypt/Decrypt of RSA subclasses.
myRSAC.Encrypt(data, false); // Sensitive
myRSAC.Decrypt(data, false); // Sensitive
int written;
myRSAC.TryEncrypt(data, Span<byte>.Empty, padding, out written); // Sensitive
myRSAC.TryDecrypt(data, Span<byte>.Empty, padding, out written); // Sensitive
byte[] rgbKey = {1,2,3};
byte[] rgbIV = {4,5,6};
SymmetricAlgorithm rijn = SymmetricAlgorithm.Create();
// Review the creation of Encryptors from any SymmetricAlgorithm instance.
rijn.CreateEncryptor(); // Sensitive
rijn.CreateEncryptor(rgbKey, rgbIV); // Sensitive
rijn.CreateDecryptor(); // Sensitive
rijn.CreateDecryptor(rgbKey, rgbIV); // Sensitive
}
public class MyCrypto : System.Security.Cryptography.AsymmetricAlgorithm // Sensitive
{
// ...
}
public class MyCrypto2 : System.Security.Cryptography.SymmetricAlgorithm // Sensitive
{
// ...
}
}
}
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
include::../highlighting.adoc[]
'''
== Comments And Links
(visible only on this page)
=== on 8 Oct 2018, 18:14:56 Nicolas Harraudeau wrote:
*Implementation details*:
Note that the example does not list all RSA subclasses. RSA subclasses have additional encryption and decryption methods which are not present in the parent class.
See https://docs.microsoft.com/en-gb/dotnet/standard/security/encrypting-data[.Net documentation].
=== on 6 Nov 2018, 18:57:56 Duncan Pocklington wrote:
\[~nicolas.harraudeau] a couple of questions:
* _MyCrypto2 : System.Security.Cryptography.SymmetricAlgorithm_: _MyCrypto2_ will have to provide implementations of _CreateEncryptor_ and _CreateDecryptor_, and any use of those methods will be flagged as issues. What's the reason for also flagging class definitions that inherit from _SymmetricAlgorithms_? Is it because implementing your own encrypting algorithms isn't generally a good idea? If so, it would be worth adding that as a comment in the Sensitive Code Example.
* same for _AsymmetricAlgorithm_, except in this case the answer might be different since the base class doesn't define any methods that we are tracking
=== on 7 Nov 2018, 09:57:32 Nicolas Harraudeau wrote:
\[~duncan.pocklington] As said IRL: for both classes it is generally a bad practice to define your own implementations. I'll update the RSPEC right away.
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink