ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S4529/csharp/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

68 lines
2.0 KiB
Plaintext
Raw Blame History

Exposing HTTP endpoints is security-sensitive. It has led in the past to the following vulnerabilities:
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3072[CVE-2016-3072]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3175[CVE-2015-3175]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0218[CVE-2003-0218]
HTTP endpoints are webservices' main entrypoint. Attackers will take advantage of any vulnerability by sending crafted inputs for headers (including cookies), body and URI. No input should be trusted and extreme care should be taken with all returned value (header, body and status code).
This rule flags code which creates HTTP endpoint via .Net Framework MVC Controllers. It guides security code reviews to security-sensitive code.
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
----
public class Foo : System.Web.Mvc.Controller
{
public string MyProperty
{
get { return "test"; }
set { }
}
public Foo() { }
public void PublicFoo() // Sensitive. Public Controller methods are exposed as HTTP endpoints.
{
// ...
}
[System.Web.Mvc.NonAction]
public void NotAnEndpoint() // This is not an endpoint because of the NonAction attribute.
{ }
protected void ProtectedFoo() { }
internal void InternalFoo() { }
private void PrivateFoo() { }
private class Bar : System.Web.Mvc.Controller
{
public void InnerFoo() { }
}
}
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
'''
== Comments And Links
(visible only on this page)
=== on 3 Oct 2018, 10:50:38 Nicolas Harraudeau wrote:
Out of scope:
* WCF: it can support many different bindings (message queue, http, etc…). A dedicated rule is better suited.
* .Net core. It is not supported yet by the taint analysis and can be added later.
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink