51369b610e
When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again.
71 lines
2.1 KiB
Plaintext
71 lines
2.1 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
Do not enable debugging features on production servers.
|
|
|
|
|
|
The .Net Core framework offers multiple features which help during debug. ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage++`` and ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage++`` are two of them. Make sure that those features are disabled in production.
|
|
|
|
Use ``++If env.IsDevelopment()++`` to disable debug code.
|
|
|
|
== Sensitive Code Example
|
|
|
|
This rule raises issues when the following .Net Core methods are called: ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage++``, ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage++``.
|
|
|
|
[source,vbnet]
|
|
----
|
|
Imports Microsoft.AspNetCore.Builder
|
|
Imports Microsoft.AspNetCore.Hosting
|
|
|
|
Namespace MyMvcApp
|
|
Public Class Startup
|
|
Public Sub Configure(ByVal app As IApplicationBuilder, ByVal env As IHostingEnvironment)
|
|
' Those calls are Sensitive because it seems that they will run in production
|
|
app.UseDeveloperExceptionPage() 'Sensitive
|
|
app.UseDatabaseErrorPage() 'Sensitive
|
|
End Sub
|
|
End Class
|
|
End Namespace
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
[source,vbnet]
|
|
----
|
|
Imports Microsoft.AspNetCore.Builder
|
|
Imports Microsoft.AspNetCore.Hosting
|
|
|
|
Namespace MyMvcApp
|
|
Public Class Startup
|
|
Public Sub Configure(ByVal app As IApplicationBuilder, ByVal env As IHostingEnvironment)
|
|
If env.IsDevelopment() Then ' Compliant
|
|
' The following calls are ok because they are disabled in production
|
|
app.UseDeveloperExceptionPage()
|
|
app.UseDatabaseErrorPage()
|
|
End If
|
|
End Sub
|
|
End Class
|
|
End Namespace
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|