Diff: tools/VisualCodeGrepper-2.1.0/csfunctions.conf

Revision:

7:2c9c8b6a28a7

Parent:

6:aeb5a4c194c3

Child:

8:2b6bfa8d9e36

--- a/tools/VisualCodeGrepper-2.1.0/csfunctions.conf	Tue Mar 20 16:28:33 2018 +0300
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,39 +0,0 @@
-// Functions known to cause issues in C#/ASP code.
-// To add new issues use the format: function name[=>][[N]][description]
-//	(where N is a severity rating of 1 (Critical) to 3 (Medium) (or optionally, 0 for 'normal'))
-//
-// NB - function names are case-sensitive for this file
-//
-// MS banned functions
-CopyMemory=>This is a Microsoft Security Development Lifecycle (SDL) banned function and its use should be avoided if possible. Use memcpy_s in place of CopyMemory. Ensure source buffer is at least as big as the amount of data to be copied.
-RtlCopyMemory=>This is a Microsoft Security Development Lifecycle (SDL) banned function and its use should be avoided if possible. Use memcpy_s in place of RtlCopyMemory. Ensure source buffer is at least as big as the amount of data to be copied.
-
-// User environment
-GetTempPath=>This function obtains a path from user environment variables and may provide a different path from the expected path. As the path returned can also be written to and read from by other applications, any DLLs or input files obtained from this location could potentially be compromised.
-
-// Warning suppression
-#pragma warning disable=>The compiler is being instructed to disable certain warnings during the build. This can result in an unstable application build. Manually inspect the code to determine the risk.
-
-// Input validation
-<%@ Page validateRequest="false" %>=>[2]The application appears to deliberately de-activate the default .NET input validation functionality.
-LoadXml=>Potentially vulnerable to XXE DoS - MS suggests a workaround here: http://blogs.msdn.com/b/tomholl/archive/2009/05/21/protecting-against-xml-entity-expansion-attacks.aspx
-
-// Unsafe Randomisation
-Rnd=>[2]The application uses pseudo-random number generation that is not cryptographically secure. Carry out a manual check to ensure this is not being used in a process that requires cryptographically secure random numbers.
-
-// Insecure Cryptography
-X509CertificateValidationMode.None=>[3]The code uses an insecure certificate validation mode.
-xor=>The application makes use of 'xor'. Check that it is not being used for obfuscation purposes as this can be trivially reversed.
-"SHA1"=>[3]The code appears to use the SHA-1 algorithm. This is no longer considered secure and a safe alternative should be used instead.
-CipherMode.ECB=>[3]The code appears to use the Electronic Code Book cipher mode. This does not obscure patterns in the input data and should not be used for encrypting patterned data such as English text, or most data files.
-"MD5"=>[3]The code appears to use the MD5 algorithm. This is no longer considered secure and a safe alternative should be used instead.
-
-// Test functionality
-helloworld=>The codebase appears to contain test functionality which may be abused by an attacker. Carry out a manual check to determine whether the codepath is executable.
-HelloWorld=>The codebase appears to contain test functionality which may be abused by an attacker. Carry out a manual check to determine whether the codepath is executable.
-
-//WSDL file dDisclosure
-<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />=>A number of WCF web services used by the application had metadata publishing enabled, allowing WSDL, DISCO and MEX metadata to be retrieved by unauthenticated clients. Whilst this information is not strictly a secret, it is intended only to be used for development and integration purposes, and ideally should not be exposed in a production environment. WSDL data is potentially useful to an attacker in determining the methods exposed by a service and constructing well-formed requests.
-<serviceDebug includeExceptionDetailInFaults="true" />=>A number of WCF web services used by the application had metadata publishing enabled, allowing WSDL, DISCO and MEX metadata to be retrieved by unauthenticated clients. Whilst this information is not strictly a secret, it is intended only to be used for development and integration purposes, and ideally should not be exposed in a production environment. WSDL data is potentially useful to an attacker in determining the methods exposed by a service and constructing well-formed requests.
-<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>=>A number of WCF web services used by the application had metadata publishing enabled, allowing WSDL, DISCO and MEX metadata to be retrieved by unauthenticated clients. Whilst this information is not strictly a secret, it is intended only to be used for development and integration purposes, and ideally should not be exposed in a production environment. WSDL data is potentially useful to an attacker in determining the methods exposed by a service and constructing well-formed requests.
-<serviceDebug includeExceptionDetailInFaults="true"/>=>A number of WCF web services used by the application had metadata publishing enabled, allowing WSDL, DISCO and MEX metadata to be retrieved by unauthenticated clients. Whilst this information is not strictly a secret, it is intended only to be used for development and integration purposes, and ideally should not be exposed in a production environment. WSDL data is potentially useful to an attacker in determining the methods exposed by a service and constructing well-formed requests.