Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5691

Statically serving hidden files is security-sensitive

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure serving hidden files is safe here.
    • Default Severity:
      Major
    • Impact:
      Low
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      ABAP, APEX, C#, C, C++, Cobol, CSS, Flex, Go, HTML, Java, JavaScript, Kotlin, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Ruby, Rust, Scala, Solidity, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Remediation Function:
      Linear
    • Linear Argument Description:
      5min
    • Analysis Level:
      Syntactic Analysis
    • Analysis Scope:
      Main Sources, Test Sources
    • CWE:
      CWE-538
    • OWASP:
      A6

      Description

      Hidden files are created automatically by many tools to save user-preferences, well-known examples are .profile, .bashrc, .bash_history or .git. To simplify the view these files are not displayed by default using operating system commands like ls.

      Outside of the user environment, hidden files are sensitive because they are used to store privacy-related information or even hard-coded secrets.

      Ask Yourself Whether

      • Hidden files may have been inadvertently uploaded to the static server's public directory and it accepts requests to hidden files.
      • There is no business use cases linked to serve files in .name format but the server is not configured to reject requests to this type of files.

      There is a risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      • Disable the serving of hidden files.

      See

        Attachments

        1.
        JavaScript RSPEC-5692 Language-Specification Active Unassigned

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              eric.therond Eric Therond
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: