ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S4507/vbnet/rule.adoc
github-actions[bot] 7fecd63449
Create rule S4507: add Docker support (APPSEC-441) (#1542)
2023-02-07 15:04:20 +01:00

70 lines
2.1 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
== Recommended Secure Coding Practices
Do not enable debugging features on production servers.
The .Net Core framework offers multiple features which help during debug. ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage++`` and ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage++`` are two of them. Make sure that those features are disabled in production.
Use ``++If env.IsDevelopment()++`` to disable debug code.
== Sensitive Code Example
This rule raises issues when the following .Net Core methods are called: ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage++``, ``++Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage++``.
[source,vbnet]
----
Imports Microsoft.AspNetCore.Builder
Imports Microsoft.AspNetCore.Hosting
Namespace MyMvcApp
Public Class Startup
Public Sub Configure(ByVal app As IApplicationBuilder, ByVal env As IHostingEnvironment)
' Those calls are Sensitive because it seems that they will run in production
app.UseDeveloperExceptionPage() 'Sensitive
app.UseDatabaseErrorPage() 'Sensitive
End Sub
End Class
End Namespace
----
== Compliant Solution
[source,vbnet]
----
Imports Microsoft.AspNetCore.Builder
Imports Microsoft.AspNetCore.Hosting
Namespace MyMvcApp
Public Class Startup
Public Sub Configure(ByVal app As IApplicationBuilder, ByVal env As IHostingEnvironment)
If env.IsDevelopment() Then ' Compliant
' The following calls are ok because they are disabled in production
app.UseDeveloperExceptionPage()
app.UseDatabaseErrorPage()
End If
End Sub
End Class
End Namespace
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
'''
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink