protected override void Initialize(SonarAnalysisContext context)
{
ObjectCreationTracker.Track(context,
ObjectCreationTracker.WhenDerivesOrImplements(KnownType.RestSharp_IRestRequest));
InvocationTracker.Track(context,
InvocationTracker.MatchMethod(
new MemberDescriptor(KnownType.System_Net_Http_HttpClient, "GetAsync"),
new MemberDescriptor(KnownType.System_Net_Http_HttpClient, "GetByteArrayAsync"),
new MemberDescriptor(KnownType.System_Net_Http_HttpClient, "GetStreamAsync"),
new MemberDescriptor(KnownType.System_Net_Http_HttpClient, "GetStringAsync"),
new MemberDescriptor(KnownType.System_Net_Http_HttpClient, "SendAsync"),
new MemberDescriptor(KnownType.System_Net_Http_HttpClient, "PostAsync"),
new MemberDescriptor(KnownType.System_Net_Http_HttpClient, "PutAsync"),
new MemberDescriptor(KnownType.System_Net_Http_HttpClient, "DeleteAsync"),
new MemberDescriptor(KnownType.System_Net_WebClient, "DownloadData"),
new MemberDescriptor(KnownType.System_Net_WebClient, "DownloadDataAsync"),
new MemberDescriptor(KnownType.System_Net_WebClient, "DownloadDataTaskAsync"),
new MemberDescriptor(KnownType.System_Net_WebClient, "DownloadFile"),
new MemberDescriptor(KnownType.System_Net_WebClient, "DownloadFileAsync"),
new MemberDescriptor(KnownType.System_Net_WebClient, "DownloadFileTaskAsync"),
new MemberDescriptor(KnownType.System_Net_WebClient, "DownloadString"),
new MemberDescriptor(KnownType.System_Net_WebClient, "DownloadStringAsync"),
new MemberDescriptor(KnownType.System_Net_WebClient, "DownloadStringTaskAsync"),
new MemberDescriptor(KnownType.System_Net_WebClient, "OpenRead"),
new MemberDescriptor(KnownType.System_Net_WebClient, "OpenReadAsync"),
new MemberDescriptor(KnownType.System_Net_WebClient, "OpenReadTaskAsync"),
new MemberDescriptor(KnownType.System_Net_WebClient, "OpenWrite"),
new MemberDescriptor(KnownType.System_Net_WebClient, "OpenWriteAsync"),
new MemberDescriptor(KnownType.System_Net_WebClient, "OpenWriteTaskAsync"),
new MemberDescriptor(KnownType.System_Net_WebClient, "UploadData"),
new MemberDescriptor(KnownType.System_Net_WebClient, "UploadDataAsync"),
new MemberDescriptor(KnownType.System_Net_WebClient, "UploadDataTaskAsync"),
new MemberDescriptor(KnownType.System_Net_WebClient, "UploadFile"),
new MemberDescriptor(KnownType.System_Net_WebClient, "UploadFileAsync"),
new MemberDescriptor(KnownType.System_Net_WebClient, "UploadFileTaskAsync"),
new MemberDescriptor(KnownType.System_Net_WebClient, "UploadString"),
new MemberDescriptor(KnownType.System_Net_WebClient, "UploadStringAsync"),
new MemberDescriptor(KnownType.System_Net_WebClient, "UploadStringTaskAsync"),
new MemberDescriptor(KnownType.System_Net_WebClient, "UploadValues"),
new MemberDescriptor(KnownType.System_Net_WebClient, "UploadValuesAsync"),
new MemberDescriptor(KnownType.System_Net_WebClient, "UploadValuesTaskAsync"),
new MemberDescriptor(KnownType.System_Net_WebRequest, "Create"),
new MemberDescriptor(KnownType.System_Net_WebRequest, "CreateDefault"),
new MemberDescriptor(KnownType.System_Net_WebRequest, "CreateHttp")));
}
protected override void Initialize(SonarAnalysisContext context)
{
PropertyAccessTracker.Track(context,
PropertyAccessTracker.MatchProperty(new MemberDescriptor(KnownType.System_Web_HttpCookie, "Value")),
PropertyAccessTracker.MatchSetter());
ObjectCreationTracker.Track(context,
ObjectCreationTracker.MatchConstructor(KnownType.System_Web_HttpCookie),
ObjectCreationTracker.ArgumentAtIndexIs(1, KnownType.System_String));
ElementAccessTracker.Track(context,
ElementAccessTracker.MatchIndexerIn(KnownType.System_Web_HttpCookie),
ElementAccessTracker.ArgumentAtIndexIs(0, KnownType.System_String),
ElementAccessTracker.MatchSetter());
ElementAccessTracker.Track(context,
ElementAccessTracker.MatchIndexerIn(KnownType.Microsoft_AspNetCore_Http_IHeaderDictionary),
ElementAccessTracker.ArgumentAtIndexEquals(0, "Set-Cookie"),
ElementAccessTracker.MatchSetter());
ElementAccessTracker.Track(context,
ElementAccessTracker.MatchIndexerIn(
KnownType.Microsoft_AspNetCore_Http_IRequestCookieCollection,
KnownType.Microsoft_AspNetCore_Http_IResponseCookies),
ElementAccessTracker.MatchSetter());
ElementAccessTracker.Track(context,
ElementAccessTracker.MatchIndexerIn(KnownType.System_Collections_Specialized_NameValueCollection),
ElementAccessTracker.MatchSetter(),
ElementAccessTracker.MatchProperty(new MemberDescriptor(KnownType.System_Web_HttpCookie, "Values")));
InvocationTracker.Track(context,
InvocationTracker.MatchMethod(new MemberDescriptor(KnownType.Microsoft_AspNetCore_Http_IResponseCookies, "Append")));
InvocationTracker.Track(context,
InvocationTracker.MatchMethod(
new MemberDescriptor(KnownType.System_Collections_Generic_IDictionary_TKey_TValue, "Add"),
new MemberDescriptor(KnownType.System_Collections_Generic_IDictionary_TKey_TValue_VB, "Add")),
InvocationTracker.ArgumentAtIndexEquals(0, "Set-Cookie"),
InvocationTracker.MethodHasParameters(2),
IsIHeadersDictionary());
InvocationTracker.Track(context,
InvocationTracker.MatchMethod(new MemberDescriptor(KnownType.System_Collections_Specialized_NameObjectCollectionBase, "Add")),
InvocationTracker.MatchProperty(new MemberDescriptor(KnownType.System_Web_HttpCookie, "Values")));
}
protected override void Initialize(SonarAnalysisContext context)
{
ObjectCreationTracker.Track(context,
ObjectCreationTracker.MatchConstructor(
KnownType.System_Security_Permissions_PrincipalPermission));
ObjectCreationTracker.Track(context,
ObjectCreationTracker.WhenDerivesOrImplementsAny(
KnownType.System_Security_Principal_IIdentity,
KnownType.System_Security_Principal_IPrincipal));
InvocationTracker.Track(context,
InvocationTracker.MatchMethod(
new MemberDescriptor(KnownType.System_Security_Principal_WindowsIdentity, "GetCurrent"),
new MemberDescriptor(KnownType.System_IdentityModel_Tokens_SecurityTokenHandler, "ValidateToken"),
new MemberDescriptor(KnownType.System_AppDomain, "SetPrincipalPolicy"),
new MemberDescriptor(KnownType.System_AppDomain, "SetThreadPrincipal")));
PropertyAccessTracker.Track(context,
PropertyAccessTracker.MatchProperty(
new MemberDescriptor(KnownType.System_Web_HttpContext, "User"),
new MemberDescriptor(KnownType.System_Threading_Thread, "CurrentPrincipal")));
MethodDeclarationTracker.Track(context,
MethodDeclarationTracker.AnyParameterIsOfType(
KnownType.System_Security_Principal_IIdentity,
KnownType.System_Security_Principal_IPrincipal),
MethodDeclarationTracker.IsOrdinaryMethod());
MethodDeclarationTracker.Track(context,
MethodDeclarationTracker.DecoratedWithAnyAttribute(
KnownType.System_Security_Permissions_PrincipalPermissionAttribute));
BaseTypeTracker.Track(context,
BaseTypeTracker.MatchSubclassesOf(
KnownType.System_Security_Principal_IIdentity,
KnownType.System_Security_Principal_IPrincipal));
}
protected override void Initialize(SonarAnalysisContext context)
{
// ASP.NET Core
InvocationTracker.Track(context,
InvocationTracker.MatchMethod(
new MemberDescriptor(KnownType.Microsoft_AspNetCore_Hosting_WebHostBuilderExtensions, "ConfigureLogging"),
new MemberDescriptor(KnownType.Microsoft_Extensions_DependencyInjection_LoggingServiceCollectionExtensions, "AddLogging"),
new MemberDescriptor(KnownType.Microsoft_Extensions_Logging_ConsoleLoggerExtensions, "AddConsole"),
new MemberDescriptor(KnownType.Microsoft_Extensions_Logging_DebugLoggerFactoryExtensions, "AddDebug"),
new MemberDescriptor(KnownType.Microsoft_Extensions_Logging_EventLoggerFactoryExtensions, "AddEventLog"),
new MemberDescriptor(KnownType.Microsoft_Extensions_Logging_EventLoggerFactoryExtensions, "AddEventSourceLogger"),
new MemberDescriptor(KnownType.Microsoft_Extensions_Logging_EventSourceLoggerFactoryExtensions, "AddEventSourceLogger"),
new MemberDescriptor(KnownType.Microsoft_Extensions_Logging_AzureAppServicesLoggerFactoryExtensions, "AddAzureWebAppDiagnostics")),
InvocationTracker.MethodIsExtension());
ObjectCreationTracker.Track(context,
ObjectCreationTracker.WhenImplements(KnownType.Microsoft_Extensions_Logging_ILoggerFactory));
// log4net
InvocationTracker.Track(context,
InvocationTracker.MatchMethod(
new MemberDescriptor(KnownType.log4net_Config_XmlConfigurator, "Configure"),
new MemberDescriptor(KnownType.log4net_Config_XmlConfigurator, "ConfigureAndWatch"),
new MemberDescriptor(KnownType.log4net_Config_DOMConfigurator, "Configure"),
new MemberDescriptor(KnownType.log4net_Config_DOMConfigurator, "ConfigureAndWatch"),
new MemberDescriptor(KnownType.log4net_Config_BasicConfigurator, "Configure")));
// NLog
PropertyAccessTracker.Track(context,
PropertyAccessTracker.MatchSetter(),
PropertyAccessTracker.MatchProperty(
new MemberDescriptor(KnownType.NLog_LogManager, "Configuration")));
// Serilog
ObjectCreationTracker.Track(context,
ObjectCreationTracker.WhenDerivesFrom(KnownType.Serilog_LoggerConfiguration));
}
protected override void Initialize(SonarAnalysisContext context)
{
ObjectCreationTracker.Track(context, ObjectCreationTracker.WhenDerivesOrImplementsAny(algorithmTypes));
InvocationTracker.Track(context,
InvocationTracker.MatchMethod(new MemberDescriptor(KnownType.System_Security_Cryptography_DSA, CreateMethodName),
new MemberDescriptor(KnownType.System_Security_Cryptography_HMAC, CreateMethodName),
new MemberDescriptor(KnownType.System_Security_Cryptography_MD5, CreateMethodName),
new MemberDescriptor(KnownType.System_Security_Cryptography_RIPEMD160, CreateMethodName),
new MemberDescriptor(KnownType.System_Security_Cryptography_SHA1, CreateMethodName)),
InvocationTracker.MethodHasParameters(0));
InvocationTracker.Track(context,
InvocationTracker.MatchMethod(new MemberDescriptor(KnownType.System_Security_Cryptography_AsymmetricAlgorithm, CreateMethodName),
new MemberDescriptor(KnownType.System_Security_Cryptography_CryptoConfig, "CreateFromName"),
new MemberDescriptor(KnownType.System_Security_Cryptography_DSA, CreateMethodName),
new MemberDescriptor(KnownType.System_Security_Cryptography_HashAlgorithm, CreateMethodName),
new MemberDescriptor(KnownType.System_Security_Cryptography_HMAC, CreateMethodName),
new MemberDescriptor(KnownType.System_Security_Cryptography_KeyedHashAlgorithm, CreateMethodName),
new MemberDescriptor(KnownType.System_Security_Cryptography_MD5, CreateMethodName),
new MemberDescriptor(KnownType.System_Security_Cryptography_RIPEMD160, CreateMethodName),
new MemberDescriptor(KnownType.System_Security_Cryptography_SHA1, CreateMethodName)),
InvocationTracker.ArgumentAtIndexIsAny(0, unsafeAlgorithms));
}
private void TrackObjectCreation(SonarAnalysisContext context, KnownType[] objectCreationTypes, int argumentIndex) =>
ObjectCreationTracker.Track(context,
ObjectCreationTracker.MatchConstructor(objectCreationTypes),
ObjectCreationTracker.ArgumentAtIndexIs(argumentIndex, KnownType.System_String),
c => IsTracked(GetArgumentAtIndex(c, argumentIndex), c),
Conditions.ExceptWhen(ObjectCreationTracker.ArgumentAtIndexIsConst(argumentIndex)));
internal CookieShouldBeSecure(IAnalyzerConfiguration analyzerConfiguration)
: base(analyzerConfiguration)
{
ObjectCreationTracker = new CSharpObjectCreationTracker(analyzerConfiguration, rule);
}
private static void SetupObjectCreationTracker(ObjectCreationTracker <SyntaxKind> tracker, TrackerInput input) =>
tracker.Track(input,
tracker.MatchConstructor(KnownType.Microsoft_AspNetCore_Cors_Infrastructure_CorsPolicyBuilder),
c => ContainsStar((ObjectCreationExpressionSyntax)c.Node, c.SemanticModel));
