16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
54 lines
1.6 KiB
Plaintext
54 lines
1.6 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
// === .Net Framework ===
|
|
|
|
HttpCookie myCookie = new HttpCookie("UserSettings");
|
|
myCookie["CreditCardNumber"] = "1234 1234 1234 1234"; // Sensitive; sensitive data stored
|
|
myCookie.Values["password"] = "5678"; // Sensitive
|
|
myCookie.Value = "mysecret"; // Sensitive
|
|
...
|
|
Response.Cookies.Add(myCookie);
|
|
|
|
|
|
// === .Net Core ===
|
|
|
|
Response.Headers.Add("Set-Cookie", ...); // Sensitive
|
|
Response.Cookies.Append("mykey", "myValue"); // Sensitive
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 16 Oct 2018, 18:39:51 Nicolas Harraudeau wrote:
|
|
*Implementation details*:
|
|
|
|
*In .Net core*, -any reference to ``++Microsoft.AspNetCore.Http.HttpRequest.Cookies++`` should create an issue. It is a ``++IEnumerable++`` and it is not worth highlighting every manipulation method this class has. There is no "Cookie" Type in .Net Core, they are instead processed as strings.-
|
|
|
|
The ``++Request++`` object is just a reference to the ``++HttpRequest++`` of the current request.
|
|
|
|
Regarding ``++Microsoft.AspNetCore.Http.HttpResonse.Cookies++``, only the ``++Append++`` method should raise an issue as the ``++Delete++`` one is not security-sensitive (no risk of injection).
|
|
|
|
The ``++Response++`` object is just a reference to the ``++HttpResponse++`` of the current request.
|
|
|
|
include::../comments-and-links.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|