rspec/rules/S4507/csharp/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

== Recommended Secure Coding Practices

Do not enable debugging features on production servers.

The .Net Core framework offers multiple features which help during debug. ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage++`` and ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage++`` are two of them. Make sure that those features are disabled in production.

Use ``++if (env.IsDevelopment())++`` to disable debug code.

== Sensitive Code Example

This rule raises issues when the following .Net Core methods are called: ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage++``, ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage++``. 

[source,csharp]
----
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;

namespace mvcApp
{
    public class Startup2
    {
        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {
            // Those calls are Sensitive because it seems that they will run in production
            app.UseDeveloperExceptionPage(); // Sensitive
            app.UseDatabaseErrorPage(); // Sensitive
        }
    }
}
----

== Compliant Solution

[source,csharp]
----
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;

namespace mvcApp
{
    public class Startup2
    {
        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {
            if (env.IsDevelopment())
            {
                // The following calls are ok because they are disabled in production
                app.UseDeveloperExceptionPage(); // Compliant
                app.UseDatabaseErrorPage(); // Compliant
            }
        }
    }
}
----

== Exceptions

This rule does not analyze configuration files. Make sure that debug mode is not enabled by default in those files.

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

=== on 16 Oct 2018, 18:46:47 Nicolas Harraudeau wrote:
*Implementation details*:

*In .Net Core*

The following block is generally generated automatically by the IDE:

----
if (env.IsDevelopment())
{
    app.UseDeveloperExceptionPage();
    app.UseDatabaseErrorPage();
}
----
However after looking in Github it seems that developers often copy paste the content of the "if" block outside of the "if", which creates a vulnerability.


The rule should not try to detect every possible "if" statement. It should instead check that, if there is a call to ``++app.UseDeveloperExceptionPage()++`` or ``++app.UseDatabaseErrorPage()++``, it is in the exact "if" statement ``++if (env.IsDevelopment())++``.

=== on 31 Oct 2018, 09:54:11 Nicolas Harraudeau wrote:
*TODO once we have a solution for analyzing configuration files*:

For .Net Framework applications

----
<!-- Web.config file -->
<configuration>
...
  <system.web>
    <customErrors mode="Off"/>  <!-- Sensitive -->
    <trace enabled="true"/> <!-- Sensitive -->
    <compilation debug="true"/> <!-- Sensitive -->
  </system.web>
</configuration>
----
*Recommendation:*

The .Net Framework offers different debug features which can be enabled in the Web.config file. Add a Web.config transformation file, for "Release" publications, disabling ``++debug++``, ``++trace++`` and enabling ``++customErrors++``. This will prevent those properties from being published on production servers.

The application should run by default in the most secure mode, i.e. as on production servers. This is to prevent any mistake. Do not commit Web.config file with ``++trace++`` enabled or ``++customErrors++`` disabled. If these features are needed for debug deployment, do it in the ``++Web.Debug.config++`` transform file.

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]