ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5659/csharp/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

97 lines
2.7 KiB
Plaintext
Raw Blame History

== Why is this an issue?
include::../description.adoc[]
=== Noncompliant code example
https://github.com/jwt-dotnet/jwt[jwt-dotnet] library:
[source,csharp]
----
var decodedtoken1 = decoder.Decode(token, secret, verify: false); // Noncompliant: signature should be verified
var decodedtoken2 = new JwtBuilder()
.WithSecret(secret)
.Decode(forgedtoken1); // Noncompliant: signature should be verified
----
=== Compliant solution
https://github.com/jwt-dotnet/jwt[jwt-dotnet] library:
[source,csharp]
----
var decodedtoken1 = decoder.Decode(forgedtoken1, secret, verify: true); // Compliant
var decodedtoken2 = new JwtBuilder()
.WithSecret(secret)
.MustVerifySignature()
.Decode(token); // Compliant
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
'''
== Comments And Links
(visible only on this page)
=== on 4 Mar 2020, 16:31:13 Pavel Mikula wrote:
Hi [~eric.therond],
I'm about to implement this one. Message and description mentions encoding phase as well, but I haven't found encoding example any where. And JwtEncoder does not accept null instead of encoding algorithm.
So the encoding is save and we should care only about decoding in this rule?
Should we keep same message for C# as well? It seems useful to use more precise message here.
=== on 4 Mar 2020, 17:17:48 Eric Therond wrote:
Hi [~pavel.mikula]
I didn't see either a way to not sign a JWT (or with "none" algorithm) with this library.
For the moment, we only need to worry about decoding/signature verification in this rule for C# but I suppose it exists other libraries that could be unsafe for the signing part.
It's better to not have messages which depend of the language:
* to not confuse users when they switch from one language to another
* it's easier to maintain on our side
Maybe we could have a "dynamic" message:
" Use only strong cipher algorithms when xxx this JWT. "
And replace "xxx" with "signing" or "verifying the signature of" depending on whether the rule finds a "signing vulnerable method" or a "verifying vulnerable method"
But I don't know how to specify this in JIRA
=== on 5 Mar 2020, 08:38:27 Pavel Mikula wrote:
Hi [~eric.therond],
Thanks for clarification.
Looking at https://jira.sonarsource.com/browse/RSPEC-3240[RSPEC-3240] and https://jira.sonarsource.com/browse/RSPEC-100[RSPEC-100] it seems that this is the way:
----
Use only strong cipher algorithms when [signing|verifying the signature of] this JWT.
----
=== on 5 Mar 2020, 08:45:11 Eric Therond wrote:
thanks [~pavel.mikula] for the tip, I have updated the RSPEC.
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink