This page is not yet available in Spanish. We are working on its translation. If you have any questions or feedback about our current translation project, feel free to reach out to us!
Metadata
ID:csharp-security/trust-boundaries
Language: C#
Severity: Error
Category: Security
Description
No description found
Non-Compliant Code Examples
usingMicrosoft.AspNetCore.Mvc;usingMicrosoft.AspNetCore.Http;usingSystem.Collections.Generic;usingMicrosoft.AspNetCore.Mvc.Filters;usingMicrosoft.AspNetCore.Mvc.Controllers;usingSystem.Linq;usingSystem;namespaceOwaspBenchmarkTest.Controllers{publicclassBenchmarkTest00031Controller:Controller{ [HttpGet("/trustbound-00/BenchmarkTest00031")] [HttpPost("/trustbound-00/BenchmarkTest00031")]publicIActionResultIndex(){varparam=Request.Query["BenchmarkTest00031"].FirstOrDefault();HttpContext.Session.SetString("userid",param);returnContent("Item: 'userid' with value: '"+Microsoft.Security.Encoder.Encoder.HtmlEncode(param)+"' saved in session.","text/html;charset=UTF-8");}}}
Compliant Code Examples
usingMicrosoft.AspNetCore.Http;usingMicrosoft.AspNetCore.Mvc;usingMicrosoft.AspNetCore.Mvc.RazorPages;usingSystem;usingSystem.IO;usingSystem.Net;usingSystem.Threading.Tasks;usingMicrosoft.AspNetCore.Routing;usingMicrosoft.AspNetCore.Session;usingMicrosoft.AspNetCore.Builder;usingMicrosoft.Extensions.DependencyInjection;usingMicrosoft.AspNetCore.Hosting;usingMicrosoft.Extensions.Hosting;usingSystem.Text;namespaceOwaspBenchmarkTest.Controllers{publicclassBenchmarkTest00097Controller:Controller{privatereadonlyIHttpContextAccessor_httpContextAccessor;publicBenchmarkTest00097Controller(IHttpContextAccessorhttpContextAccessor){_httpContextAccessor=httpContextAccessor;} [HttpGet("/trustbound-00/BenchmarkTest00097")]publicIActionResultGet(){CookieOptionsoption=newCookieOptions();option.Expires=DateTime.Now.AddMinutes(3);option.Secure=true;stringrequestURI=_httpContextAccessor.HttpContext.Request.Path.ToString();_httpContextAccessor.HttpContext.Response.Cookies.Append("BenchmarkTest00097","color",option);returnView();} [HttpPost("/trustbound-00/BenchmarkTest00097")]publicIActionResultPost(){stringparam="noCookieValueSupplied";if(_httpContextAccessor.HttpContext.Request.Cookies.ContainsKey("BenchmarkTest00097")){//Vulnerability is maintainedparam=WebUtility.UrlDecode(_httpContextAccessor.HttpContext.Request.Cookies["BenchmarkTest00097"]);}stringbar;intnum=106;bar=(7*18)+num>200?"This_should_always_happen":param;HttpContext.Session.SetString(bar,"10340");returnContent("Item: '"+System.Security.SecurityElement.Escape(bar)+"' with value: 10340 saved in session.");}}}
Integraciones sin problemas. Prueba Datadog Code Security
Datadog Code Security
Prueba esta regla y analiza tu código con Datadog Code Security
Cómo usar esta regla
1
2
rulesets:- csharp-security # Rules to enforce C# security.
Crea un static-analysis.datadog.yml con el contenido anterior en la raíz de tu repositorio
Utiliza nuestros complementos del IDE gratuitos o añade análisis de Code Security a tus pipelines de CI.