public void OnCompilationEnd(PumaCompilationAnalysisContext context)
{
foreach (var config in ConfigurationFiles)
{
var customErrors =
config.ProductionConfigurationDocument.XPathSelectElement(CUSTOMERRORS_SEARCH_EXPRESSION);
//Default (<customErrors mode="RemoteOnly" />) is not an issue
//Look for the mode attribute, again default val is not an issue
var mode = customErrors?.Attribute("mode");
if (mode == null)
{
continue;
}
//Any value that is not "Off" is ok
if (string.Compare(mode.Value, "Off", StringComparison.OrdinalIgnoreCase) != 0)
{
continue;
}
var lineInfo = config.GetProductionLineInfo(customErrors, CUSTOMERRORS_SEARCH_EXPRESSION);
VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, customErrors.ToString()));
}
}
public void OnCompilationEnd(PumaCompilationAnalysisContext pumaContext)
{
foreach (var config in ConfigurationFiles)
{
//Search for the element in question
var element = config.ProductionConfigurationDocument.XPathSelectElement(SEARCH_EXPRESSION);
if (element == null)
{
continue;
}
var attribute = element.Attribute("validationKey");
var flag = attribute != null && !attribute.Value.Contains("AutoGenerate");
//Check the decryptionKey element for "AutoGenerate"
if (!flag)
{
attribute = element.Attribute("decryptionKey");
flag = attribute != null && !attribute.Value.Contains("AutoGenerate");
}
//Send the diagnostic warning if identified cleartext key
if (flag)
{
var lineInfo = config.GetProductionLineInfo(element, SEARCH_EXPRESSION);
VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString()));
}
}
}
public void OnCompilationEnd(PumaCompilationAnalysisContext pumaContext)
{
foreach (var config in ConfigurationFiles)
{
//Search for the element in question
var element = config.ProductionConfigurationDocument.XPathSelectElement(SEARCH_EXPRESSION);
if (element == null)
{
continue;
}
//Get the timeout attribute value
var attribute = element.Attribute("mode");
var mode = attribute?.Value;
if (string.Compare(mode, "StateServer", StringComparison.Ordinal) == 0)
{
var lineInfo = config.GetProductionLineInfo(element, SEARCH_EXPRESSION);
VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString()));
}
}
}
public void OnCompilationEnd(PumaCompilationAnalysisContext context)
{
foreach (var config in ConfigurationFiles)
{
//Search for the element in question
var element = config.ProductionConfigurationDocument.XPathSelectElement(FORMS_SEARCH_EXPRESSION);
var crossAppRedirects = element?.Attribute("enableCrossAppRedirects");
//Default is false, so we can bail if not defined
if (crossAppRedirects == null)
{
continue;
}
//If the value is true, we have an issue
if (string.Compare(crossAppRedirects.Value, "True", StringComparison.OrdinalIgnoreCase) == 0)
{
var lineInfo = config.GetProductionLineInfo(element, FORMS_SEARCH_EXPRESSION);
VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString()));
}
}
}
public void OnCompilationEnd(PumaCompilationAnalysisContext pumaContext)
{
foreach (var config in ConfigurationFiles)
{
//Search for the element in question
var element = config.ProductionConfigurationDocument.XPathSelectElement(SEARCH_EXPRESSION);
if (element == null)
{
continue;
}
//Get the timeout attribute value
var attribute = element.Attribute("timeout");
var timeout = Convert.ToInt32(attribute?.Value ?? "20");
if (timeout > RuleOptions.SessionExpirationMax)
{
var lineInfo = config.GetProductionLineInfo(element, SEARCH_EXPRESSION);
VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString(), RuleOptions.SessionExpirationMax.ToString()));
}
}
}
public void OnCompilationEnd(PumaCompilationAnalysisContext context)
{
foreach (var config in ConfigurationFiles)
{
//Search for the element in question
var element = config.ProductionConfigurationDocument.XPathSelectElement(HTTPRUNTIME_SEARCH_EXPRESSION);
if (element == null)
{
continue;
}
//Get the enableVersionHeader attribute
var attribute = element.Attribute("enableVersionHeader");
//Default value is true, so it must be set to false
if (attribute == null || string.Compare(attribute.Value, "false", StringComparison.OrdinalIgnoreCase) != 0)
{
var lineInfo = config.GetProductionLineInfo(element, HTTPRUNTIME_SEARCH_EXPRESSION);
VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString()));
}
}
}
public void OnCompilationEnd(PumaCompilationAnalysisContext context)
{
foreach (var config in ConfigurationFiles)
{
//Search for the element in question
var element = config.ProductionConfigurationDocument.XPathSelectElement(SEARCH_EXPRESSION);
if (element == null)
{
continue;
}
//Get the requireSSL attribute
var attribute = element.Attribute("requireSSL");
//Default value is false, so it's an issue if it does not exist
//Or, look for a non-true value and flag it
if (attribute == null || string.Compare(attribute.Value, "true", StringComparison.OrdinalIgnoreCase) != 0)
{
var lineInfo = config.GetProductionLineInfo(element, SEARCH_EXPRESSION);
VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString()));
}
}
}
public void OnCompilationEnd(PumaCompilationAnalysisContext context)
{
foreach (var config in ConfigurationFiles)
{
//Search for the element in question
var element = config.ProductionConfigurationDocument.XPathSelectElement(FORMS_SEARCH_EXPRESSION);
if (element == null)
{
continue;
}
//Get the cookieless attribute
var cookieless = element.Attribute("cookieless");
//Default value is UseDeviceProfile, which can allow URL based tracking
//Add waring in all cases except value of UseCookies
if (cookieless == null || string.Compare(cookieless.Value, "UseCookies", StringComparison.OrdinalIgnoreCase) != 0)
{
var lineInfo = config.GetProductionLineInfo(element, FORMS_SEARCH_EXPRESSION);
VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString()));
}
}
}
public void OnCompilationEnd(PumaCompilationAnalysisContext pumaContext)
{
foreach (var config in ConfigurationFiles)
{
//Search for the element in question
var element = config.ProductionConfigurationDocument.XPathSelectElement(SEARCH_EXPRESSION);
//Get the cookieless attribute
var attribute = element?.Attribute("enableEventValidation");
//Default value is true, so it's a non issue
if (attribute == null)
{
continue;
}
//Add waring if present and set to false
if (string.Compare(attribute.Value, "false", StringComparison.OrdinalIgnoreCase) == 0)
{
var lineInfo = config.GetProductionLineInfo(element, SEARCH_EXPRESSION);
VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString()));
}
}
}
public void OnCompilationEnd(PumaCompilationAnalysisContext context)
{
foreach (var config in ConfigurationFiles)
{
//Search for the element in question
var element = config.ProductionConfigurationDocument.XPathSelectElement(FORMS_SEARCH_EXPRESSION);
if (element == null)
{
continue;
}
//Get the requireSSL attribute
//Default value is false, which is vulnerable
//Add warning if missing or not set to true
var requireSSL = element.Attribute("requireSSL");
if (requireSSL == null ||
string.Compare(requireSSL.Value, "True", StringComparison.OrdinalIgnoreCase) != 0)
{
var lineInfo = config.GetProductionLineInfo(element, FORMS_SEARCH_EXPRESSION);
VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString()));
}
}
}
public void OnCompilationEnd(PumaCompilationAnalysisContext context)
{
foreach (var config in ConfigurationFiles)
{
var compilation =
config.ProductionConfigurationDocument.XPathSelectElement(COMPILATION_SEARCH_EXPRESSION);
//Looking for debug set to true
//Default is false, so it's OK if the element is missing
var mode = compilation?.Attribute("debug");
if (mode == null)
{
continue;
}
if (string.Compare(mode.Value, "true", StringComparison.OrdinalIgnoreCase) != 0)
{
continue;
}
var lineInfo = config.GetProductionLineInfo(compilation, COMPILATION_SEARCH_EXPRESSION);
VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, compilation.ToString()));
}
}
