public void OnCompilationEnd(PumaCompilationAnalysisContext pumaContext) { foreach (var config in ConfigurationFiles) { //Search for the element in question var element = config.ProductionConfigurationDocument.XPathSelectElement(SEARCH_EXPRESSION); if (element == null) { continue; } var attribute = element.Attribute("validationKey"); var flag = attribute != null && !attribute.Value.Contains("AutoGenerate"); //Check the decryptionKey element for "AutoGenerate" if (!flag) { attribute = element.Attribute("decryptionKey"); flag = attribute != null && !attribute.Value.Contains("AutoGenerate"); } //Send the diagnostic warning if identified cleartext key if (flag) { var lineInfo = config.GetProductionLineInfo(element, SEARCH_EXPRESSION); VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString())); } } }
public void OnCompilationEnd(PumaCompilationAnalysisContext pumaContext) { var context = pumaContext.RosylnContext; if (!context.Options.AdditionalFiles.Any()) { return; } var srcFiles = _mvcMarkupFileFilter.GetFiles(context.Options.AdditionalFiles).ToList(); if (!srcFiles.Any()) { return; } foreach (var file in srcFiles) { var document = file.GetText(); var source = document.ToString(); if (!_htmlRawRegexHelper.HasMatch(source)) { continue; } foreach (Match match in _htmlRawRegexHelper.GetMatches(source)) { VulnerableAdditionalText.Push(new DiagnosticInfo(file.Path, document.Lines.GetLinePosition(match.Index).Line, source.Substring(match.Index, match.Length))); } } }
public void OnCompilationEnd(PumaCompilationAnalysisContext context) { foreach (var config in ConfigurationFiles) { var customErrors = config.ProductionConfigurationDocument.XPathSelectElement(CUSTOMERRORS_SEARCH_EXPRESSION); //Default (<customErrors mode="RemoteOnly" />) is not an issue //Look for the mode attribute, again default val is not an issue var mode = customErrors?.Attribute("mode"); if (mode == null) { continue; } //Any value that is not "Off" is ok if (string.Compare(mode.Value, "Off", StringComparison.OrdinalIgnoreCase) != 0) { continue; } var lineInfo = config.GetProductionLineInfo(customErrors, CUSTOMERRORS_SEARCH_EXPRESSION); VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, customErrors.ToString())); } }
public void OnCompilationEnd(PumaCompilationAnalysisContext pumaContext) { foreach (var config in ConfigurationFiles) { //Search for the element in question var element = config.ProductionConfigurationDocument.XPathSelectElement(SEARCH_EXPRESSION); if (element == null) { continue; } //Get the timeout attribute value var attribute = element.Attribute("mode"); var mode = attribute?.Value; if (string.Compare(mode, "StateServer", StringComparison.Ordinal) == 0) { var lineInfo = config.GetProductionLineInfo(element, SEARCH_EXPRESSION); VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString())); } } }
public void OnCompilationEnd(PumaCompilationAnalysisContext context) { foreach (var config in ConfigurationFiles) { //Search for the element in question var element = config.ProductionConfigurationDocument.XPathSelectElement(FORMS_SEARCH_EXPRESSION); var crossAppRedirects = element?.Attribute("enableCrossAppRedirects"); //Default is false, so we can bail if not defined if (crossAppRedirects == null) { continue; } //If the value is true, we have an issue if (string.Compare(crossAppRedirects.Value, "True", StringComparison.OrdinalIgnoreCase) == 0) { var lineInfo = config.GetProductionLineInfo(element, FORMS_SEARCH_EXPRESSION); VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString())); } } }
public void OnCompilationEnd(PumaCompilationAnalysisContext pumaContext) { foreach (var config in ConfigurationFiles) { //Search for the element in question var element = config.ProductionConfigurationDocument.XPathSelectElement(SEARCH_EXPRESSION); if (element == null) { continue; } //Get the timeout attribute value var attribute = element.Attribute("timeout"); var timeout = Convert.ToInt32(attribute?.Value ?? "20"); if (timeout > RuleOptions.SessionExpirationMax) { var lineInfo = config.GetProductionLineInfo(element, SEARCH_EXPRESSION); VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString(), RuleOptions.SessionExpirationMax.ToString())); } } }
public void OnCompilationEnd(PumaCompilationAnalysisContext context) { foreach (var config in ConfigurationFiles) { //Search for the element in question var element = config.ProductionConfigurationDocument.XPathSelectElement(HTTPRUNTIME_SEARCH_EXPRESSION); if (element == null) { continue; } //Get the enableVersionHeader attribute var attribute = element.Attribute("enableVersionHeader"); //Default value is true, so it must be set to false if (attribute == null || string.Compare(attribute.Value, "false", StringComparison.OrdinalIgnoreCase) != 0) { var lineInfo = config.GetProductionLineInfo(element, HTTPRUNTIME_SEARCH_EXPRESSION); VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString())); } } }
public void OnCompilationEnd(PumaCompilationAnalysisContext context) { foreach (var config in ConfigurationFiles) { //Search for the element in question var element = config.ProductionConfigurationDocument.XPathSelectElement(SEARCH_EXPRESSION); if (element == null) { continue; } //Get the requireSSL attribute var attribute = element.Attribute("requireSSL"); //Default value is false, so it's an issue if it does not exist //Or, look for a non-true value and flag it if (attribute == null || string.Compare(attribute.Value, "true", StringComparison.OrdinalIgnoreCase) != 0) { var lineInfo = config.GetProductionLineInfo(element, SEARCH_EXPRESSION); VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString())); } } }
public void OnCompilationEnd(PumaCompilationAnalysisContext context) { foreach (var config in ConfigurationFiles) { //Search for the element in question var element = config.ProductionConfigurationDocument.XPathSelectElement(FORMS_SEARCH_EXPRESSION); if (element == null) { continue; } //Get the cookieless attribute var cookieless = element.Attribute("cookieless"); //Default value is UseDeviceProfile, which can allow URL based tracking //Add waring in all cases except value of UseCookies if (cookieless == null || string.Compare(cookieless.Value, "UseCookies", StringComparison.OrdinalIgnoreCase) != 0) { var lineInfo = config.GetProductionLineInfo(element, FORMS_SEARCH_EXPRESSION); VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString())); } } }
public void OnCompilationEnd(PumaCompilationAnalysisContext pumaContext) { foreach (var config in ConfigurationFiles) { //Search for the element in question var element = config.ProductionConfigurationDocument.XPathSelectElement(SEARCH_EXPRESSION); //Get the cookieless attribute var attribute = element?.Attribute("enableEventValidation"); //Default value is true, so it's a non issue if (attribute == null) { continue; } //Add waring if present and set to false if (string.Compare(attribute.Value, "false", StringComparison.OrdinalIgnoreCase) == 0) { var lineInfo = config.GetProductionLineInfo(element, SEARCH_EXPRESSION); VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString())); } } }
public void OnCompilationEnd(PumaCompilationAnalysisContext context) { foreach (var config in ConfigurationFiles) { //Search for the element in question var element = config.ProductionConfigurationDocument.XPathSelectElement(FORMS_SEARCH_EXPRESSION); if (element == null) { continue; } //Get the requireSSL attribute //Default value is false, which is vulnerable //Add warning if missing or not set to true var requireSSL = element.Attribute("requireSSL"); if (requireSSL == null || string.Compare(requireSSL.Value, "True", StringComparison.OrdinalIgnoreCase) != 0) { var lineInfo = config.GetProductionLineInfo(element, FORMS_SEARCH_EXPRESSION); VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString())); } } }
public void OnCompilationEnd(PumaCompilationAnalysisContext context) { foreach (var config in ConfigurationFiles) { var compilation = config.ProductionConfigurationDocument.XPathSelectElement(COMPILATION_SEARCH_EXPRESSION); //Looking for debug set to true //Default is false, so it's OK if the element is missing var mode = compilation?.Attribute("debug"); if (mode == null) { continue; } if (string.Compare(mode.Value, "true", StringComparison.OrdinalIgnoreCase) != 0) { continue; } var lineInfo = config.GetProductionLineInfo(compilation, COMPILATION_SEARCH_EXPRESSION); VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, compilation.ToString())); } }
public virtual void OnCompilationEnd(PumaCompilationAnalysisContext pumaContext) { var context = pumaContext.RosylnContext; if (VulnerableSyntaxNodes.IsEmpty) { return; } foreach (var vulnerableSyntaxNode in VulnerableSyntaxNodes) { var canSuppress = false; var sources = vulnerableSyntaxNode.Source; foreach (var syntaxNode in sources) { var idsToMatchOn = syntaxNode.DescendantNodesAndSelf().OfType <IdentifierNameSyntax>(); foreach (var identifierNameSyntax in idsToMatchOn) { var containingBlock = syntaxNode.FirstAncestorOrSelf <MethodDeclarationSyntax>(); var idMatches = containingBlock .DescendantNodes() .OfType <IdentifierNameSyntax>() .Where(p => p.Identifier.ValueText == syntaxNode.ToString()) .ToList <SyntaxNode>(); var declarationMatches = containingBlock .DescendantNodes() .OfType <VariableDeclaratorSyntax>() .Where(p => p.Identifier.ValueText == identifierNameSyntax.ToString()) .Select(p => p.Initializer.Value) .ToList <SyntaxNode>(); var matches = idMatches.Union(declarationMatches); var idModel = context.Compilation.GetSemanticModel(syntaxNode.SyntaxTree); foreach (var match in matches) { var indexNode = match.AncestorsAndSelf().FirstOrDefault(); while (!canSuppress && indexNode != containingBlock) { var nodeAnalyzer = SyntaxNodeAnalyzerFactory.Create(indexNode); canSuppress = nodeAnalyzer.CanSuppress(idModel, indexNode, pumaContext.DiagnosticId); indexNode = indexNode.Ancestors().FirstOrDefault(); } if (canSuppress) { break; } } if (canSuppress) { break; } } if (canSuppress) { break; } } vulnerableSyntaxNode.Suppressed = canSuppress; } }
public virtual void OnCompilationEnd(PumaCompilationAnalysisContext context) { }