Enforce trust boundaries

Metadata

ID: csharp-security/trust-boundaries

Language: C#

Severity: Error

Category: Security

Description

No description found

Non-Compliant Code Examples

using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Http;
using System.Collections.Generic;
using Microsoft.AspNetCore.Mvc.Filters;
using Microsoft.AspNetCore.Mvc.Controllers;
using System.Linq;
using System;

namespace OwaspBenchmarkTest.Controllers
{
    public class BenchmarkTest00031Controller : Controller
    {
        [HttpGet("/trustbound-00/BenchmarkTest00031")]
        [HttpPost("/trustbound-00/BenchmarkTest00031")]
        public IActionResult Index()
        {
            var param = Request.Query["BenchmarkTest00031"].FirstOrDefault();

            HttpContext.Session.SetString("userid", param);

            return Content("Item: 'userid' with value: '" + Microsoft.Security.Encoder.Encoder.HtmlEncode(param) + "' saved in session.", "text/html;charset=UTF-8");
        }
    }
}

Compliant Code Examples

using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.RazorPages;
using System;
using System.IO;
using System.Net;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Routing;
using Microsoft.AspNetCore.Session;
using Microsoft.AspNetCore.Builder;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Hosting;
using System.Text;

namespace OwaspBenchmarkTest.Controllers
{
    public class BenchmarkTest00097Controller : Controller
    {
        private readonly IHttpContextAccessor _httpContextAccessor;

        public BenchmarkTest00097Controller(IHttpContextAccessor httpContextAccessor)
        {
            _httpContextAccessor = httpContextAccessor;
        }

        [HttpGet("/trustbound-00/BenchmarkTest00097")]
        public IActionResult Get()
        {
            CookieOptions option = new CookieOptions();
            option.Expires = DateTime.Now.AddMinutes(3);
            option.Secure = true;
            string requestURI = _httpContextAccessor.HttpContext.Request.Path.ToString();
            _httpContextAccessor.HttpContext.Response.Cookies.Append("BenchmarkTest00097", "color", option);
            return View();
        }

        [HttpPost("/trustbound-00/BenchmarkTest00097")]
        public IActionResult Post()
        {
            string param = "noCookieValueSupplied";
            if (_httpContextAccessor.HttpContext.Request.Cookies.ContainsKey("BenchmarkTest00097"))
            {
                //Vulnerability is maintained
                param = WebUtility.UrlDecode(_httpContextAccessor.HttpContext.Request.Cookies["BenchmarkTest00097"]);
            }

            string bar;

            int num = 106;

            bar = (7 * 18) + num > 200 ? "This_should_always_happen" : param;

            HttpContext.Session.SetString(bar, "10340");

            return Content("Item: '" + System.Security.SecurityElement.Escape(bar) + "' with value: 10340 saved in session.");
        }
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Security

Datadog Code Security
PREVIEWING: yuqing.bian/fix-sources-searchterm