43 lines
1.8 KiB
Plaintext
43 lines
1.8 KiB
Plaintext
=== On 2018-10-16T18:46:47Z Nicolas Harraudeau Wrote:
|
|
*Implementation details*:
|
|
|
|
*In .Net Core*
|
|
|
|
The following block is generally generated automatically by the IDE:
|
|
|
|
----
|
|
if (env.IsDevelopment())
|
|
{
|
|
app.UseDeveloperExceptionPage();
|
|
app.UseDatabaseErrorPage();
|
|
}
|
|
----
|
|
However after looking in Github it seems that developers often copy paste the content of the "if" block outside of the "if", which creates a vulnerability.
|
|
|
|
|
|
The rule should not try to detect every possible "if" statement. It should instead check that, if there is a call to ``++app.UseDeveloperExceptionPage()++`` or ``++app.UseDatabaseErrorPage()++``, it is in the exact "if" statement ``++if (env.IsDevelopment())++``.
|
|
|
|
=== On 2018-10-31T09:54:11Z Nicolas Harraudeau Wrote:
|
|
*TODO once we have a solution for analyzing configuration files*:
|
|
|
|
For .Net Framework applications
|
|
|
|
----
|
|
<!-- Web.config file -->
|
|
<configuration>
|
|
...
|
|
<system.web>
|
|
<customErrors mode="Off"/> <!-- Sensitive -->
|
|
<trace enabled="true"/> <!-- Sensitive -->
|
|
<compilation debug="true"/> <!-- Sensitive -->
|
|
</system.web>
|
|
</configuration>
|
|
----
|
|
*Recommendation:*
|
|
|
|
The .Net Framework offers different debug features which can be enabled in the Web.config file. Add a Web.config transformation file, for "Release" publications, disabling ``++debug++``, ``++trace++`` and enabling ``++customErrors++``. This will prevent those properties from being published on production servers.
|
|
|
|
The application should run by default in the most secure mode, i.e. as on production servers. This is to prevent any mistake. Do not commit Web.config file with ``++trace++`` enabled or ``++customErrors++`` disabled. If these features are needed for debug deployment, do it in the ``++Web.Debug.config++`` transform file.
|
|
|
|
include::../comments-and-links.adoc[]
|