Details

    • Type: Language-Specification
    • Status: Active
    • Resolution: Unresolved
    • Labels:
      None
    • Impact:
      Unknown 'null' severity
    • Likelihood:
      Unknown 'null' severity

      Description

      Recommended Secure Coding Practices

      Do not enable debug features on production servers.

      The .Net Core framework offers multiple features which help during debug. Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage and Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage are two of them. Make sure that those features are disabled in production.
      Use If env.IsDevelopment() to disable debug code.

      Sensitive Code Example

      This rule raises issues when the following .Net Core methods are called: Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage, Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage. No Issue is raised when those calls are disabled by if (env.IsDevelopment()).

      Imports Microsoft.AspNetCore.Builder
      Imports Microsoft.AspNetCore.Hosting
      
      Namespace MyMvcApp
          Public Class Startup
              Public Sub Configure(ByVal app As IApplicationBuilder, ByVal env As IHostingEnvironment)
                  If env.IsDevelopment() Then
                      ' The following calls are ok because they are disabled in production
                      app.UseDeveloperExceptionPage()
                      app.UseDatabaseErrorPage()
                  End If
                  ' Those calls are Sensitive because it seems that they will run in production
                  app.UseDeveloperExceptionPage() 'Sensitive
                  app.UseDatabaseErrorPage() 'Sensitive
              End Sub
          End Class
      End Namespace
      

      Exceptions

      This rule does not analyze configuration files. Make sure that debug mode is not enabled by default in those files.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              valeri.hristov Valeri Hristov (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: