Enforce trust boundaries

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: csharp-security/trust-boundaries

Language: C#

Severity: Error

Category: Security

Description

No description found

Non-Compliant Code Examples

using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Http;
using System.Collections.Generic;
using Microsoft.AspNetCore.Mvc.Filters;
using Microsoft.AspNetCore.Mvc.Controllers;
using System.Linq;
using System;

namespace OwaspBenchmarkTest.Controllers
{
    public class BenchmarkTest00031Controller : Controller
    {
        [HttpGet("/trustbound-00/BenchmarkTest00031")]
        [HttpPost("/trustbound-00/BenchmarkTest00031")]
        public IActionResult Index()
        {
            var param = Request.Query["BenchmarkTest00031"].FirstOrDefault();

            HttpContext.Session.SetString("userid", param);

            return Content("Item: 'userid' with value: '" + Microsoft.Security.Encoder.Encoder.HtmlEncode(param) + "' saved in session.", "text/html;charset=UTF-8");
        }
    }
}

Compliant Code Examples

using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.RazorPages;
using System;
using System.IO;
using System.Net;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Routing;
using Microsoft.AspNetCore.Session;
using Microsoft.AspNetCore.Builder;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Hosting;
using System.Text;

namespace OwaspBenchmarkTest.Controllers
{
    public class BenchmarkTest00097Controller : Controller
    {
        private readonly IHttpContextAccessor _httpContextAccessor;

        public BenchmarkTest00097Controller(IHttpContextAccessor httpContextAccessor)
        {
            _httpContextAccessor = httpContextAccessor;
        }

        [HttpGet("/trustbound-00/BenchmarkTest00097")]
        public IActionResult Get()
        {
            CookieOptions option = new CookieOptions();
            option.Expires = DateTime.Now.AddMinutes(3);
            option.Secure = true;
            string requestURI = _httpContextAccessor.HttpContext.Request.Path.ToString();
            _httpContextAccessor.HttpContext.Response.Cookies.Append("BenchmarkTest00097", "color", option);
            return View();
        }

        [HttpPost("/trustbound-00/BenchmarkTest00097")]
        public IActionResult Post()
        {
            string param = "noCookieValueSupplied";
            if (_httpContextAccessor.HttpContext.Request.Cookies.ContainsKey("BenchmarkTest00097"))
            {
                //Vulnerability is maintained
                param = WebUtility.UrlDecode(_httpContextAccessor.HttpContext.Request.Cookies["BenchmarkTest00097"]);
            }

            string bar;

            int num = 106;

            bar = (7 * 18) + num > 200 ? "This_should_always_happen" : param;

            HttpContext.Session.SetString(bar, "10340");

            return Content("Item: '" + System.Security.SecurityElement.Escape(bar) + "' with value: 10340 saved in session.");
        }
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Integraciones sin problemas. Prueba Datadog Code Security

Datadog Code Security