Пример #1
0
        public void OnCompilationEnd(PumaCompilationAnalysisContext pumaContext)
        {
            foreach (var config in ConfigurationFiles)
            {
                //Search for the element in question
                var element = config.ProductionConfigurationDocument.XPathSelectElement(SEARCH_EXPRESSION);
                if (element == null)
                {
                    continue;
                }

                var attribute = element.Attribute("validationKey");
                var flag      = attribute != null && !attribute.Value.Contains("AutoGenerate");

                //Check the decryptionKey element for "AutoGenerate"
                if (!flag)
                {
                    attribute = element.Attribute("decryptionKey");
                    flag      = attribute != null && !attribute.Value.Contains("AutoGenerate");
                }

                //Send the diagnostic warning if identified cleartext key
                if (flag)
                {
                    var lineInfo = config.GetProductionLineInfo(element, SEARCH_EXPRESSION);
                    VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString()));
                }
            }
        }
Пример #2
0
        public void OnCompilationEnd(PumaCompilationAnalysisContext pumaContext)
        {
            var context = pumaContext.RosylnContext;

            if (!context.Options.AdditionalFiles.Any())
            {
                return;
            }

            var srcFiles = _mvcMarkupFileFilter.GetFiles(context.Options.AdditionalFiles).ToList();

            if (!srcFiles.Any())
            {
                return;
            }

            foreach (var file in srcFiles)
            {
                var document = file.GetText();

                var source = document.ToString();

                if (!_htmlRawRegexHelper.HasMatch(source))
                {
                    continue;
                }

                foreach (Match match in _htmlRawRegexHelper.GetMatches(source))
                {
                    VulnerableAdditionalText.Push(new DiagnosticInfo(file.Path, document.Lines.GetLinePosition(match.Index).Line,
                                                                     source.Substring(match.Index, match.Length)));
                }
            }
        }
Пример #3
0
        public void OnCompilationEnd(PumaCompilationAnalysisContext context)
        {
            foreach (var config in ConfigurationFiles)
            {
                var customErrors =
                    config.ProductionConfigurationDocument.XPathSelectElement(CUSTOMERRORS_SEARCH_EXPRESSION);

                //Default (<customErrors mode="RemoteOnly" />) is not an issue
                //Look for the mode attribute, again default val is not an issue
                var mode = customErrors?.Attribute("mode");
                if (mode == null)
                {
                    continue;
                }

                //Any value that is not "Off" is ok
                if (string.Compare(mode.Value, "Off", StringComparison.OrdinalIgnoreCase) != 0)
                {
                    continue;
                }

                var lineInfo = config.GetProductionLineInfo(customErrors, CUSTOMERRORS_SEARCH_EXPRESSION);
                VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, customErrors.ToString()));
            }
        }
Пример #4
0
        public void OnCompilationEnd(PumaCompilationAnalysisContext pumaContext)
        {
            foreach (var config in ConfigurationFiles)
            {
                //Search for the element in question
                var element = config.ProductionConfigurationDocument.XPathSelectElement(SEARCH_EXPRESSION);
                if (element == null)
                {
                    continue;
                }

                //Get the timeout attribute value
                var attribute = element.Attribute("mode");
                var mode      = attribute?.Value;

                if (string.Compare(mode, "StateServer", StringComparison.Ordinal) == 0)
                {
                    var lineInfo = config.GetProductionLineInfo(element, SEARCH_EXPRESSION);
                    VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString()));
                }
            }
        }
Пример #5
0
        public void OnCompilationEnd(PumaCompilationAnalysisContext context)
        {
            foreach (var config in ConfigurationFiles)
            {
                //Search for the element in question
                var element           = config.ProductionConfigurationDocument.XPathSelectElement(FORMS_SEARCH_EXPRESSION);
                var crossAppRedirects = element?.Attribute("enableCrossAppRedirects");

                //Default is false, so we can bail if not defined
                if (crossAppRedirects == null)
                {
                    continue;
                }

                //If the value is true, we have an issue
                if (string.Compare(crossAppRedirects.Value, "True", StringComparison.OrdinalIgnoreCase) == 0)
                {
                    var lineInfo = config.GetProductionLineInfo(element, FORMS_SEARCH_EXPRESSION);
                    VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString()));
                }
            }
        }
Пример #6
0
        public void OnCompilationEnd(PumaCompilationAnalysisContext pumaContext)
        {
            foreach (var config in ConfigurationFiles)
            {
                //Search for the element in question
                var element = config.ProductionConfigurationDocument.XPathSelectElement(SEARCH_EXPRESSION);
                if (element == null)
                {
                    continue;
                }

                //Get the timeout attribute value
                var attribute = element.Attribute("timeout");
                var timeout   = Convert.ToInt32(attribute?.Value ?? "20");

                if (timeout > RuleOptions.SessionExpirationMax)
                {
                    var lineInfo = config.GetProductionLineInfo(element, SEARCH_EXPRESSION);
                    VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString(), RuleOptions.SessionExpirationMax.ToString()));
                }
            }
        }
Пример #7
0
        public void OnCompilationEnd(PumaCompilationAnalysisContext context)
        {
            foreach (var config in ConfigurationFiles)
            {
                //Search for the element in question
                var element = config.ProductionConfigurationDocument.XPathSelectElement(HTTPRUNTIME_SEARCH_EXPRESSION);
                if (element == null)
                {
                    continue;
                }

                //Get the enableVersionHeader attribute
                var attribute = element.Attribute("enableVersionHeader");

                //Default value is true, so it must be set to false
                if (attribute == null || string.Compare(attribute.Value, "false", StringComparison.OrdinalIgnoreCase) != 0)
                {
                    var lineInfo = config.GetProductionLineInfo(element, HTTPRUNTIME_SEARCH_EXPRESSION);
                    VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString()));
                }
            }
        }
Пример #8
0
        public void OnCompilationEnd(PumaCompilationAnalysisContext context)
        {
            foreach (var config in ConfigurationFiles)
            {
                //Search for the element in question
                var element = config.ProductionConfigurationDocument.XPathSelectElement(SEARCH_EXPRESSION);
                if (element == null)
                {
                    continue;
                }

                //Get the requireSSL attribute
                var attribute = element.Attribute("requireSSL");

                //Default value is false, so it's an issue if it does not exist
                //Or, look for a non-true value and flag it
                if (attribute == null || string.Compare(attribute.Value, "true", StringComparison.OrdinalIgnoreCase) != 0)
                {
                    var lineInfo = config.GetProductionLineInfo(element, SEARCH_EXPRESSION);
                    VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString()));
                }
            }
        }
Пример #9
0
        public void OnCompilationEnd(PumaCompilationAnalysisContext context)
        {
            foreach (var config in ConfigurationFiles)
            {
                //Search for the element in question
                var element = config.ProductionConfigurationDocument.XPathSelectElement(FORMS_SEARCH_EXPRESSION);
                if (element == null)
                {
                    continue;
                }

                //Get the cookieless attribute
                var cookieless = element.Attribute("cookieless");

                //Default value is UseDeviceProfile, which can allow URL based tracking
                //Add waring in all cases except value of UseCookies
                if (cookieless == null || string.Compare(cookieless.Value, "UseCookies", StringComparison.OrdinalIgnoreCase) != 0)
                {
                    var lineInfo = config.GetProductionLineInfo(element, FORMS_SEARCH_EXPRESSION);
                    VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString()));
                }
            }
        }
Пример #10
0
        public void OnCompilationEnd(PumaCompilationAnalysisContext pumaContext)
        {
            foreach (var config in ConfigurationFiles)
            {
                //Search for the element in question
                var element = config.ProductionConfigurationDocument.XPathSelectElement(SEARCH_EXPRESSION);

                //Get the cookieless attribute
                var attribute = element?.Attribute("enableEventValidation");

                //Default value is true, so it's a non issue
                if (attribute == null)
                {
                    continue;
                }

                //Add waring if present and set to false
                if (string.Compare(attribute.Value, "false", StringComparison.OrdinalIgnoreCase) == 0)
                {
                    var lineInfo = config.GetProductionLineInfo(element, SEARCH_EXPRESSION);
                    VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString()));
                }
            }
        }
Пример #11
0
        public void OnCompilationEnd(PumaCompilationAnalysisContext context)
        {
            foreach (var config in ConfigurationFiles)
            {
                //Search for the element in question
                var element = config.ProductionConfigurationDocument.XPathSelectElement(FORMS_SEARCH_EXPRESSION);
                if (element == null)
                {
                    continue;
                }

                //Get the requireSSL attribute
                //Default value is false, which is vulnerable
                //Add warning if missing or not set to true
                var requireSSL = element.Attribute("requireSSL");

                if (requireSSL == null ||
                    string.Compare(requireSSL.Value, "True", StringComparison.OrdinalIgnoreCase) != 0)
                {
                    var lineInfo = config.GetProductionLineInfo(element, FORMS_SEARCH_EXPRESSION);
                    VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, element.ToString()));
                }
            }
        }
Пример #12
0
        public void OnCompilationEnd(PumaCompilationAnalysisContext context)
        {
            foreach (var config in ConfigurationFiles)
            {
                var compilation =
                    config.ProductionConfigurationDocument.XPathSelectElement(COMPILATION_SEARCH_EXPRESSION);

                //Looking for debug set to true
                //Default is false, so it's OK if the element is missing
                var mode = compilation?.Attribute("debug");
                if (mode == null)
                {
                    continue;
                }

                if (string.Compare(mode.Value, "true", StringComparison.OrdinalIgnoreCase) != 0)
                {
                    continue;
                }

                var lineInfo = config.GetProductionLineInfo(compilation, COMPILATION_SEARCH_EXPRESSION);
                VulnerableAdditionalText.Push(new DiagnosticInfo(config.Source.Path, lineInfo.LineNumber, compilation.ToString()));
            }
        }
Пример #13
0
        public virtual void OnCompilationEnd(PumaCompilationAnalysisContext pumaContext)
        {
            var context = pumaContext.RosylnContext;

            if (VulnerableSyntaxNodes.IsEmpty)
            {
                return;
            }

            foreach (var vulnerableSyntaxNode in VulnerableSyntaxNodes)
            {
                var canSuppress = false;
                var sources     = vulnerableSyntaxNode.Source;
                foreach (var syntaxNode in sources)
                {
                    var idsToMatchOn = syntaxNode.DescendantNodesAndSelf().OfType <IdentifierNameSyntax>();
                    foreach (var identifierNameSyntax in idsToMatchOn)
                    {
                        var containingBlock = syntaxNode.FirstAncestorOrSelf <MethodDeclarationSyntax>();

                        var idMatches = containingBlock
                                        .DescendantNodes()
                                        .OfType <IdentifierNameSyntax>()
                                        .Where(p => p.Identifier.ValueText == syntaxNode.ToString())
                                        .ToList <SyntaxNode>();

                        var declarationMatches = containingBlock
                                                 .DescendantNodes()
                                                 .OfType <VariableDeclaratorSyntax>()
                                                 .Where(p => p.Identifier.ValueText == identifierNameSyntax.ToString())
                                                 .Select(p => p.Initializer.Value)
                                                 .ToList <SyntaxNode>();

                        var matches = idMatches.Union(declarationMatches);
                        var idModel = context.Compilation.GetSemanticModel(syntaxNode.SyntaxTree);

                        foreach (var match in matches)
                        {
                            var indexNode = match.AncestorsAndSelf().FirstOrDefault();

                            while (!canSuppress && indexNode != containingBlock)
                            {
                                var nodeAnalyzer = SyntaxNodeAnalyzerFactory.Create(indexNode);
                                canSuppress = nodeAnalyzer.CanSuppress(idModel, indexNode, pumaContext.DiagnosticId);

                                indexNode = indexNode.Ancestors().FirstOrDefault();
                            }

                            if (canSuppress)
                            {
                                break;
                            }
                        }

                        if (canSuppress)
                        {
                            break;
                        }
                    }

                    if (canSuppress)
                    {
                        break;
                    }
                }

                vulnerableSyntaxNode.Suppressed = canSuppress;
            }
        }
Пример #14
0
 public virtual void OnCompilationEnd(PumaCompilationAnalysisContext context)
 {
 }