Details

    • Type: Language-Specification
    • Status: Active
    • Resolution: Unresolved
    • Labels:
      None
    • Impact:
      Unknown 'null' severity
    • Likelihood:
      Unknown 'null' severity

      Description

      Recommended Secure Coding Practices

      Do not enable debug features on production servers.

      The .Net Core framework offers multiple features which help during debug. Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage and Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage are two of them. Make sure that those features are disabled in production.
      Use if (env.IsDevelopment()) to disable debug code.

      Sensitive Code Example

      This rule raises issues when the following .Net Core methods are called: Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage, Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage. No Issue is raised when those calls are disabled by if (env.IsDevelopment()).

      using Microsoft.AspNetCore.Builder;
      using Microsoft.AspNetCore.Hosting;
      
      namespace mvcApp
      {
          public class Startup2
          {
              public void Configure(IApplicationBuilder app, IHostingEnvironment env)
              {
                  if (env.IsDevelopment())
                  {
                      // The following calls are ok because they are disabled in production
                      app.UseDeveloperExceptionPage();
                      app.UseDatabaseErrorPage();
                  }
                  // Those calls are Sensitive because it seems that they will run in production
                  app.UseDeveloperExceptionPage(); // Sensitive
                  app.UseDatabaseErrorPage(); // Sensitive
              }
          }
      }
      
      

      Exceptions

      This rule does not analyze configuration files. Make sure that debug mode is not enabled by default in those files.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              nicolas.harraudeau Nicolas Harraudeau
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: