public void OnCompilationEnd(PumaCompilationAnalysisContext context) { foreach (var config in ConfigurationFiles) { var customErrors = config.ProductionConfigurationDocument.XPathSelectElement(CUSTOMERRORS_SEARCH_EXPRESSION); //Default (<customErrors mode="RemoteOnly" />) is not an issue //Look for the mode attribute, again default val is not an issue var mode = customErrors?.Attribute("mode"); if (mode == null) { continue; } //Any value that is not "Off" is ok if (string.Compare(mode.Value, "Off", StringComparison.OrdinalIgnoreCase) != 0) { continue; } var lineInfo = config.GetProductionLineInfo(customErrors, CUSTOMERRORS_SEARCH_EXPRESSION); VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, customErrors.ToString())); } }
public void OnCompilationEnd(PumaCompilationAnalysisContext pumaContext) { foreach (var config in ConfigurationFiles) { //Search for the element in question var element = config.ProductionConfigurationDocument.XPathSelectElement(SEARCH_EXPRESSION); if (element == null) { continue; } var attribute = element.Attribute("validationKey"); var flag = attribute != null && !attribute.Value.Contains("AutoGenerate"); //Check the decryptionKey element for "AutoGenerate" if (!flag) { attribute = element.Attribute("decryptionKey"); flag = attribute != null && !attribute.Value.Contains("AutoGenerate"); } //Send the diagnostic warning if identified cleartext key if (flag) { var lineInfo = config.GetProductionLineInfo(element, SEARCH_EXPRESSION); VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString())); } } }
public void OnCompilationEnd(PumaCompilationAnalysisContext pumaContext) { foreach (var config in ConfigurationFiles) { //Search for the element in question var element = config.ProductionConfigurationDocument.XPathSelectElement(SEARCH_EXPRESSION); if (element == null) { continue; } //Get the timeout attribute value var attribute = element.Attribute("mode"); var mode = attribute?.Value; if (string.Compare(mode, "StateServer", StringComparison.Ordinal) == 0) { var lineInfo = config.GetProductionLineInfo(element, SEARCH_EXPRESSION); VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString())); } } }
public void OnCompilationEnd(PumaCompilationAnalysisContext context) { foreach (var config in ConfigurationFiles) { //Search for the element in question var element = config.ProductionConfigurationDocument.XPathSelectElement(FORMS_SEARCH_EXPRESSION); var crossAppRedirects = element?.Attribute("enableCrossAppRedirects"); //Default is false, so we can bail if not defined if (crossAppRedirects == null) { continue; } //If the value is true, we have an issue if (string.Compare(crossAppRedirects.Value, "True", StringComparison.OrdinalIgnoreCase) == 0) { var lineInfo = config.GetProductionLineInfo(element, FORMS_SEARCH_EXPRESSION); VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString())); } } }
public void OnCompilationEnd(PumaCompilationAnalysisContext pumaContext) { foreach (var config in ConfigurationFiles) { //Search for the element in question var element = config.ProductionConfigurationDocument.XPathSelectElement(SEARCH_EXPRESSION); if (element == null) { continue; } //Get the timeout attribute value var attribute = element.Attribute("timeout"); var timeout = Convert.ToInt32(attribute?.Value ?? "20"); if (timeout > RuleOptions.SessionExpirationMax) { var lineInfo = config.GetProductionLineInfo(element, SEARCH_EXPRESSION); VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString(), RuleOptions.SessionExpirationMax.ToString())); } } }
public void OnCompilationEnd(PumaCompilationAnalysisContext context) { foreach (var config in ConfigurationFiles) { //Search for the element in question var element = config.ProductionConfigurationDocument.XPathSelectElement(HTTPRUNTIME_SEARCH_EXPRESSION); if (element == null) { continue; } //Get the enableVersionHeader attribute var attribute = element.Attribute("enableVersionHeader"); //Default value is true, so it must be set to false if (attribute == null || string.Compare(attribute.Value, "false", StringComparison.OrdinalIgnoreCase) != 0) { var lineInfo = config.GetProductionLineInfo(element, HTTPRUNTIME_SEARCH_EXPRESSION); VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString())); } } }
public void OnCompilationEnd(PumaCompilationAnalysisContext context) { foreach (var config in ConfigurationFiles) { //Search for the element in question var element = config.ProductionConfigurationDocument.XPathSelectElement(SEARCH_EXPRESSION); if (element == null) { continue; } //Get the requireSSL attribute var attribute = element.Attribute("requireSSL"); //Default value is false, so it's an issue if it does not exist //Or, look for a non-true value and flag it if (attribute == null || string.Compare(attribute.Value, "true", StringComparison.OrdinalIgnoreCase) != 0) { var lineInfo = config.GetProductionLineInfo(element, SEARCH_EXPRESSION); VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString())); } } }
public void OnCompilationEnd(PumaCompilationAnalysisContext context) { foreach (var config in ConfigurationFiles) { //Search for the element in question var element = config.ProductionConfigurationDocument.XPathSelectElement(FORMS_SEARCH_EXPRESSION); if (element == null) { continue; } //Get the cookieless attribute var cookieless = element.Attribute("cookieless"); //Default value is UseDeviceProfile, which can allow URL based tracking //Add waring in all cases except value of UseCookies if (cookieless == null || string.Compare(cookieless.Value, "UseCookies", StringComparison.OrdinalIgnoreCase) != 0) { var lineInfo = config.GetProductionLineInfo(element, FORMS_SEARCH_EXPRESSION); VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString())); } } }
public void OnCompilationEnd(PumaCompilationAnalysisContext pumaContext) { foreach (var config in ConfigurationFiles) { //Search for the element in question var element = config.ProductionConfigurationDocument.XPathSelectElement(SEARCH_EXPRESSION); //Get the cookieless attribute var attribute = element?.Attribute("enableEventValidation"); //Default value is true, so it's a non issue if (attribute == null) { continue; } //Add waring if present and set to false if (string.Compare(attribute.Value, "false", StringComparison.OrdinalIgnoreCase) == 0) { var lineInfo = config.GetProductionLineInfo(element, SEARCH_EXPRESSION); VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString())); } } }
public void OnCompilationEnd(PumaCompilationAnalysisContext context) { foreach (var config in ConfigurationFiles) { //Search for the element in question var element = config.ProductionConfigurationDocument.XPathSelectElement(FORMS_SEARCH_EXPRESSION); if (element == null) { continue; } //Get the requireSSL attribute //Default value is false, which is vulnerable //Add warning if missing or not set to true var requireSSL = element.Attribute("requireSSL"); if (requireSSL == null || string.Compare(requireSSL.Value, "True", StringComparison.OrdinalIgnoreCase) != 0) { var lineInfo = config.GetProductionLineInfo(element, FORMS_SEARCH_EXPRESSION); VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString())); } } }
public void OnCompilationEnd(PumaCompilationAnalysisContext context) { foreach (var config in ConfigurationFiles) { var compilation = config.ProductionConfigurationDocument.XPathSelectElement(COMPILATION_SEARCH_EXPRESSION); //Looking for debug set to true //Default is false, so it's OK if the element is missing var mode = compilation?.Attribute("debug"); if (mode == null) { continue; } if (string.Compare(mode.Value, "true", StringComparison.OrdinalIgnoreCase) != 0) { continue; } var lineInfo = config.GetProductionLineInfo(compilation, COMPILATION_SEARCH_EXPRESSION); VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, compilation.ToString())); } }