From 05edb578941225021c354fe3646bd9992ae9a3e1 Mon Sep 17 00:00:00 2001 From: Manish Vasani Date: Fri, 6 Sep 2019 16:30:12 -0700 Subject: [PATCH] Disable couple of DFA security analyzers by default --- .../Microsoft.CodeAnalysis.FxCopAnalyzers.md | 4 ++-- .../Microsoft.CodeAnalysis.FxCopAnalyzers.sarif | 4 ++-- .../DoNotAddArchiveItemPathToTheTargetFileSystemPath.cs | 3 +-- .../Core/Security/DoNotHardCodeEncryptionKey.cs | 3 +-- .../Microsoft.NetCore.Analyzers.md | 4 ++-- .../Microsoft.NetCore.Analyzers.sarif | 4 ++-- 6 files changed, 10 insertions(+), 12 deletions(-) diff --git a/src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.md b/src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.md index 49b9a67cc4..61c6e2af0d 100644 --- a/src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.md +++ b/src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.md @@ -188,8 +188,8 @@ Sr. No. | Rule ID | Title | Category | Enabled | CodeFix | Description | 185 | [CA5386](https://docs.microsoft.com/visualstudio/code-quality/ca5386) | Avoid hardcoding SecurityProtocolType value | Security | False | False | Avoid hardcoding SecurityProtocolType {0}, and instead use SecurityProtocolType.SystemDefault to allow the operating system to choose the best Transport Layer Security protocol to use. | 186 | CA5387 | Do Not Use Weak Key Derivation Function With Insufficient Iteration Count | Security | False | False | When deriving cryptographic keys from user-provided inputs such as password, use sufficient iteration count (at least 100k). | 187 | CA5388 | Ensure Sufficient Iteration Count When Using Weak Key Derivation Function | Security | False | False | When deriving cryptographic keys from user-provided inputs such as password, use sufficient iteration count (at least 100k). | -188 | CA5389 | Do Not Add Archive Item's Path To The Target File System Path | Security | True | False | When extracting files from an archive and using the archive item's path, check if the path is safe. Archive path can be relative and can lead to file system access outside of the expected file system target path, leading to malicious config changes and remote code execution via lay-and-wait technique. | -189 | CA5390 | Do Not Hard Code Encryption Key | Security | True | False | SymmetricAlgorithm's .Key property, or a method's rgbKey parameter, should never be a hardcoded value. | +188 | CA5389 | Do Not Add Archive Item's Path To The Target File System Path | Security | False | False | When extracting files from an archive and using the archive item's path, check if the path is safe. Archive path can be relative and can lead to file system access outside of the expected file system target path, leading to malicious config changes and remote code execution via lay-and-wait technique. | +189 | CA5390 | Do Not Hard Code Encryption Key | Security | False | False | SymmetricAlgorithm's .Key property, or a method's rgbKey parameter, should never be a hardcoded value. | 190 | CA5391 | Use antiforgery tokens in ASP.NET Core MVC controllers | Security | True | False | Handling a POST, PUT, PATCH, or DELETE request without validating an antiforgery token may be vulnerable to cross-site request forgery attacks. A cross-site request forgery attack can send malicious requests from an authenticated user to your ASP.NET Core MVC controller. | 191 | CA5392 | Use DefaultDllImportSearchPaths attribute for P/Invokes | Security | True | False | By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. | 192 | CA5393 | Do not use unsafe DllImportSearchPath value | Security | True | False | There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. | diff --git a/src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.sarif b/src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.sarif index c59072e479..700a32c82f 100644 --- a/src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.sarif +++ b/src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.sarif @@ -3565,7 +3565,7 @@ "defaultLevel": "warning", "properties": { "category": "Security", - "isEnabledByDefault": true, + "isEnabledByDefault": false, "typeName": "DoNotAddArchiveItemPathToTheTargetFileSystemPath", "languages": [ "C#", @@ -3584,7 +3584,7 @@ "defaultLevel": "warning", "properties": { "category": "Security", - "isEnabledByDefault": true, + "isEnabledByDefault": false, "typeName": "DoNotHardCodeEncryptionKey", "languages": [ "C#", diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/DoNotAddArchiveItemPathToTheTargetFileSystemPath.cs b/src/Microsoft.NetCore.Analyzers/Core/Security/DoNotAddArchiveItemPathToTheTargetFileSystemPath.cs index 46602432e4..a013875d02 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/DoNotAddArchiveItemPathToTheTargetFileSystemPath.cs +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/DoNotAddArchiveItemPathToTheTargetFileSystemPath.cs @@ -1,6 +1,5 @@ // Copyright (c) Microsoft. All Rights Reserved. Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information. -using Analyzer.Utilities; using Analyzer.Utilities.FlowAnalysis.Analysis.TaintedDataAnalysis; using Microsoft.CodeAnalysis; using Microsoft.CodeAnalysis.Diagnostics; @@ -18,7 +17,7 @@ public class DoNotAddArchiveItemPathToTheTargetFileSystemPath : SourceTriggeredT typeof(MicrosoftNetCoreAnalyzersResources), nameof(MicrosoftNetCoreAnalyzersResources.DoNotAddArchiveItemPathToTheTargetFileSystemPath), nameof(MicrosoftNetCoreAnalyzersResources.DoNotAddArchiveItemPathToTheTargetFileSystemPathMessage), - DiagnosticHelpers.EnabledByDefaultIfNotBuildingVSIX, + isEnabledByDefault: false, helpLinkUri: null, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.DoNotAddArchiveItemPathToTheTargetFileSystemPathDescription), customTags: WellKnownDiagnosticTagsExtensions.DataflowAndTelemetry); diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/DoNotHardCodeEncryptionKey.cs b/src/Microsoft.NetCore.Analyzers/Core/Security/DoNotHardCodeEncryptionKey.cs index 2e7eb717bf..51be695470 100644 --- a/src/Microsoft.NetCore.Analyzers/Core/Security/DoNotHardCodeEncryptionKey.cs +++ b/src/Microsoft.NetCore.Analyzers/Core/Security/DoNotHardCodeEncryptionKey.cs @@ -1,6 +1,5 @@ // Copyright (c) Microsoft. All Rights Reserved. Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information. -using Analyzer.Utilities; using Analyzer.Utilities.FlowAnalysis.Analysis.TaintedDataAnalysis; using Microsoft.CodeAnalysis; using Microsoft.CodeAnalysis.Diagnostics; @@ -16,7 +15,7 @@ public class DoNotHardCodeEncryptionKey : SourceTriggeredTaintedDataAnalyzerBase typeof(MicrosoftNetCoreAnalyzersResources), nameof(MicrosoftNetCoreAnalyzersResources.DoNotHardCodeEncryptionKey), nameof(MicrosoftNetCoreAnalyzersResources.DoNotHardCodeEncryptionKeyMessage), - DiagnosticHelpers.EnabledByDefaultIfNotBuildingVSIX, + isEnabledByDefault: false, helpLinkUri: null, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.DoNotHardCodeEncryptionKeyDescription), customTags: WellKnownDiagnosticTagsExtensions.DataflowAndTelemetry); diff --git a/src/Microsoft.NetCore.Analyzers/Microsoft.NetCore.Analyzers.md b/src/Microsoft.NetCore.Analyzers/Microsoft.NetCore.Analyzers.md index 2feba3268c..d3c987f01c 100644 --- a/src/Microsoft.NetCore.Analyzers/Microsoft.NetCore.Analyzers.md +++ b/src/Microsoft.NetCore.Analyzers/Microsoft.NetCore.Analyzers.md @@ -96,8 +96,8 @@ Sr. No. | Rule ID | Title | Category | Enabled | CodeFix | Description | 93 | [CA5386](https://docs.microsoft.com/visualstudio/code-quality/ca5386) | Avoid hardcoding SecurityProtocolType value | Security | False | False | Avoid hardcoding SecurityProtocolType {0}, and instead use SecurityProtocolType.SystemDefault to allow the operating system to choose the best Transport Layer Security protocol to use. | 94 | CA5387 | Do Not Use Weak Key Derivation Function With Insufficient Iteration Count | Security | False | False | When deriving cryptographic keys from user-provided inputs such as password, use sufficient iteration count (at least 100k). | 95 | CA5388 | Ensure Sufficient Iteration Count When Using Weak Key Derivation Function | Security | False | False | When deriving cryptographic keys from user-provided inputs such as password, use sufficient iteration count (at least 100k). | -96 | CA5389 | Do Not Add Archive Item's Path To The Target File System Path | Security | True | False | When extracting files from an archive and using the archive item's path, check if the path is safe. Archive path can be relative and can lead to file system access outside of the expected file system target path, leading to malicious config changes and remote code execution via lay-and-wait technique. | -97 | CA5390 | Do Not Hard Code Encryption Key | Security | True | False | SymmetricAlgorithm's .Key property, or a method's rgbKey parameter, should never be a hardcoded value. | +96 | CA5389 | Do Not Add Archive Item's Path To The Target File System Path | Security | False | False | When extracting files from an archive and using the archive item's path, check if the path is safe. Archive path can be relative and can lead to file system access outside of the expected file system target path, leading to malicious config changes and remote code execution via lay-and-wait technique. | +97 | CA5390 | Do Not Hard Code Encryption Key | Security | False | False | SymmetricAlgorithm's .Key property, or a method's rgbKey parameter, should never be a hardcoded value. | 98 | CA5391 | Use antiforgery tokens in ASP.NET Core MVC controllers | Security | True | False | Handling a POST, PUT, PATCH, or DELETE request without validating an antiforgery token may be vulnerable to cross-site request forgery attacks. A cross-site request forgery attack can send malicious requests from an authenticated user to your ASP.NET Core MVC controller. | 99 | CA5392 | Use DefaultDllImportSearchPaths attribute for P/Invokes | Security | True | False | By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. | 100 | CA5393 | Do not use unsafe DllImportSearchPath value | Security | True | False | There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. | diff --git a/src/Microsoft.NetCore.Analyzers/Microsoft.NetCore.Analyzers.sarif b/src/Microsoft.NetCore.Analyzers/Microsoft.NetCore.Analyzers.sarif index c4c4bc1f9d..c02e5d2c87 100644 --- a/src/Microsoft.NetCore.Analyzers/Microsoft.NetCore.Analyzers.sarif +++ b/src/Microsoft.NetCore.Analyzers/Microsoft.NetCore.Analyzers.sarif @@ -1645,7 +1645,7 @@ "defaultLevel": "warning", "properties": { "category": "Security", - "isEnabledByDefault": true, + "isEnabledByDefault": false, "typeName": "DoNotAddArchiveItemPathToTheTargetFileSystemPath", "languages": [ "C#", @@ -1664,7 +1664,7 @@ "defaultLevel": "warning", "properties": { "category": "Security", - "isEnabledByDefault": true, + "isEnabledByDefault": false, "typeName": "DoNotHardCodeEncryptionKey", "languages": [ "C#",