16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
50 lines
1.6 KiB
Plaintext
50 lines
1.6 KiB
Plaintext
== Why is this an issue?
|
|
|
|
The ``++DEBUG(*YES)++`` and ``++DUMP++`` statements are useful during development and debugging, but could expose sensitive information to attackers and should not be included in production code.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,rpg]
|
|
----
|
|
H*-------------------------------------------------------------------------
|
|
H DATEDIT(*YMD) DEBUG(*YES)
|
|
H**************************************************************************
|
|
|
|
C SR990 BegSR
|
|
C 'CVTERR' DUMP DUMP for error
|
|
C Move *on *INLR
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
[source,rpg]
|
|
----
|
|
H*-------------------------------------------------------------------------
|
|
H DATEDIT(*YMD)
|
|
H**************************************************************************
|
|
|
|
C SR990 BegSR
|
|
C Move *on *INLR
|
|
----
|
|
|
|
|
|
== Resources
|
|
|
|
* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
|
|
* https://cwe.mitre.org/data/definitions/489[MITRE, CWE-489] - Active Debug Code
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Remove this use of "XXX"
|
|
|
|
|
|
endif::env-github,rspecator-view[]
|