Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
453 views
in Technique[技术] by (71.8m points)

c# - Getting warning in Security Hotspot in SonarQube make sure that controlled safely here

    ClaimsPrincipal principal = new ClaimsPrincipal(identity);
    

Controlling permissions is security-sensitive. It has led in the past to the following vulnerabilities:

 CVE-2018-12999
 CVE-2018-10285
 CVE-2017-7455

and the suggestion is this. class SecurityPrincipalDemo { class MyIdentity : IIdentity // Sensitive, custom IIdentity implementations should be reviewed { // ... }

class MyPrincipal : IPrincipal // Sensitive, custom IPrincipal implementations should be reviewed
{
    // ...
}
[System.Security.Permissions.PrincipalPermission(SecurityAction.Demand, Role = "Administrators")] // Sensitive. The access restrictions enforced by this attribute should be reviewed.
static void CheckAdministrator()
{
    WindowsIdentity MyIdentity = WindowsIdentity.GetCurrent(); // Sensitive
    HttpContext.User = ...; // Sensitive: review all reference (set and get) to System.Web HttpContext.User
    AppDomain domain = AppDomain.CurrentDomain;
    domain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); // Sensitive
    MyIdentity identity = new MyIdentity(); // Sensitive
    MyPrincipal MyPrincipal = new MyPrincipal(MyIdentity); // Sensitive
    Thread.CurrentPrincipal = MyPrincipal; // Sensitive
    domain.SetThreadPrincipal(MyPrincipal); // Sensitive

    // All instantiation of PrincipalPermission should be reviewed.
    PrincipalPermission principalPerm = new PrincipalPermission(null, "Administrators"); // Sensitive
    principalPerm.Demand();

    SecurityTokenHandler handler = ...;
    // Sensitive: this creates an identity.
    ReadOnlyCollection<ClaimsIdentity> identities = handler.ValidateToken(…);
}

 // Sensitive: review how this function uses the identity and principal.
void modifyPrincipal(MyIdentity identity, MyPrincipal principal)
{
    // ...
}

}

question from:https://stackoverflow.com/questions/65895974/getting-warning-in-security-hotspot-in-sonarqube-make-sure-that-controlled-safel

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

never mind. i figure it out by delacraing private read only


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...