Keyur Hariya
Maxim Integrated's IoT development kit
Dependencies: MAX30101 MAX30003 MAX113XX_Pixi MAX30205 max32630fthr USBDevice
tools/VisualCodeGrepper-2.1.0/csfunctions.conf@1:efe9cad8942f, 2018-03-13 (annotated)
- Committer:
- Mahir Ozturk
- Date:
- Tue Mar 13 14:52:59 2018 +0300
- Revision:
- 1:efe9cad8942f
Commit project files
Change-Id: I2188228f2a27e9a13e2407846e48b38c2596caa0
Who changed what in which revision?
| User | Revision | Line number | New contents of line |
|---|---|---|---|
| Mahir Ozturk |
1:efe9cad8942f | 1 | // Functions known to cause issues in C#/ASP code. |
| Mahir Ozturk |
1:efe9cad8942f | 2 | // To add new issues use the format: function name[=>][[N]][description] |
| Mahir Ozturk |
1:efe9cad8942f | 3 | // (where N is a severity rating of 1 (Critical) to 3 (Medium) (or optionally, 0 for 'normal')) |
| Mahir Ozturk |
1:efe9cad8942f | 4 | // |
| Mahir Ozturk |
1:efe9cad8942f | 5 | // NB - function names are case-sensitive for this file |
| Mahir Ozturk |
1:efe9cad8942f | 6 | // |
| Mahir Ozturk |
1:efe9cad8942f | 7 | // MS banned functions |
| Mahir Ozturk |
1:efe9cad8942f | 8 | CopyMemory=>This is a Microsoft Security Development Lifecycle (SDL) banned function and its use should be avoided if possible. Use memcpy_s in place of CopyMemory. Ensure source buffer is at least as big as the amount of data to be copied. |
| Mahir Ozturk |
1:efe9cad8942f | 9 | RtlCopyMemory=>This is a Microsoft Security Development Lifecycle (SDL) banned function and its use should be avoided if possible. Use memcpy_s in place of RtlCopyMemory. Ensure source buffer is at least as big as the amount of data to be copied. |
| Mahir Ozturk |
1:efe9cad8942f | 10 | |
| Mahir Ozturk |
1:efe9cad8942f | 11 | // User environment |
| Mahir Ozturk |
1:efe9cad8942f | 12 | GetTempPath=>This function obtains a path from user environment variables and may provide a different path from the expected path. As the path returned can also be written to and read from by other applications, any DLLs or input files obtained from this location could potentially be compromised. |
| Mahir Ozturk |
1:efe9cad8942f | 13 | |
| Mahir Ozturk |
1:efe9cad8942f | 14 | // Warning suppression |
| Mahir Ozturk |
1:efe9cad8942f | 15 | #pragma warning disable=>The compiler is being instructed to disable certain warnings during the build. This can result in an unstable application build. Manually inspect the code to determine the risk. |
| Mahir Ozturk |
1:efe9cad8942f | 16 | |
| Mahir Ozturk |
1:efe9cad8942f | 17 | // Input validation |
| Mahir Ozturk |
1:efe9cad8942f | 18 | <%@ Page validateRequest="false" %>=>[2]The application appears to deliberately de-activate the default .NET input validation functionality. |
| Mahir Ozturk |
1:efe9cad8942f | 19 | LoadXml=>Potentially vulnerable to XXE DoS - MS suggests a workaround here: http://blogs.msdn.com/b/tomholl/archive/2009/05/21/protecting-against-xml-entity-expansion-attacks.aspx |
| Mahir Ozturk |
1:efe9cad8942f | 20 | |
| Mahir Ozturk |
1:efe9cad8942f | 21 | // Unsafe Randomisation |
| Mahir Ozturk |
1:efe9cad8942f | 22 | Rnd=>[2]The application uses pseudo-random number generation that is not cryptographically secure. Carry out a manual check to ensure this is not being used in a process that requires cryptographically secure random numbers. |
| Mahir Ozturk |
1:efe9cad8942f | 23 | |
| Mahir Ozturk |
1:efe9cad8942f | 24 | // Insecure Cryptography |
| Mahir Ozturk |
1:efe9cad8942f | 25 | X509CertificateValidationMode.None=>[3]The code uses an insecure certificate validation mode. |
| Mahir Ozturk |
1:efe9cad8942f | 26 | xor=>The application makes use of 'xor'. Check that it is not being used for obfuscation purposes as this can be trivially reversed. |
| Mahir Ozturk |
1:efe9cad8942f | 27 | "SHA1"=>[3]The code appears to use the SHA-1 algorithm. This is no longer considered secure and a safe alternative should be used instead. |
| Mahir Ozturk |
1:efe9cad8942f | 28 | CipherMode.ECB=>[3]The code appears to use the Electronic Code Book cipher mode. This does not obscure patterns in the input data and should not be used for encrypting patterned data such as English text, or most data files. |
| Mahir Ozturk |
1:efe9cad8942f | 29 | "MD5"=>[3]The code appears to use the MD5 algorithm. This is no longer considered secure and a safe alternative should be used instead. |
| Mahir Ozturk |
1:efe9cad8942f | 30 | |
| Mahir Ozturk |
1:efe9cad8942f | 31 | // Test functionality |
| Mahir Ozturk |
1:efe9cad8942f | 32 | helloworld=>The codebase appears to contain test functionality which may be abused by an attacker. Carry out a manual check to determine whether the codepath is executable. |
| Mahir Ozturk |
1:efe9cad8942f | 33 | HelloWorld=>The codebase appears to contain test functionality which may be abused by an attacker. Carry out a manual check to determine whether the codepath is executable. |
| Mahir Ozturk |
1:efe9cad8942f | 34 | |
| Mahir Ozturk |
1:efe9cad8942f | 35 | //WSDL file dDisclosure |
| Mahir Ozturk |
1:efe9cad8942f | 36 | <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />=>A number of WCF web services used by the application had metadata publishing enabled, allowing WSDL, DISCO and MEX metadata to be retrieved by unauthenticated clients. Whilst this information is not strictly a secret, it is intended only to be used for development and integration purposes, and ideally should not be exposed in a production environment. WSDL data is potentially useful to an attacker in determining the methods exposed by a service and constructing well-formed requests. |
| Mahir Ozturk |
1:efe9cad8942f | 37 | <serviceDebug includeExceptionDetailInFaults="true" />=>A number of WCF web services used by the application had metadata publishing enabled, allowing WSDL, DISCO and MEX metadata to be retrieved by unauthenticated clients. Whilst this information is not strictly a secret, it is intended only to be used for development and integration purposes, and ideally should not be exposed in a production environment. WSDL data is potentially useful to an attacker in determining the methods exposed by a service and constructing well-formed requests. |
| Mahir Ozturk |
1:efe9cad8942f | 38 | <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>=>A number of WCF web services used by the application had metadata publishing enabled, allowing WSDL, DISCO and MEX metadata to be retrieved by unauthenticated clients. Whilst this information is not strictly a secret, it is intended only to be used for development and integration purposes, and ideally should not be exposed in a production environment. WSDL data is potentially useful to an attacker in determining the methods exposed by a service and constructing well-formed requests. |
| Mahir Ozturk |
1:efe9cad8942f | 39 | <serviceDebug includeExceptionDetailInFaults="true"/>=>A number of WCF web services used by the application had metadata publishing enabled, allowing WSDL, DISCO and MEX metadata to be retrieved by unauthenticated clients. Whilst this information is not strictly a secret, it is intended only to be used for development and integration purposes, and ideally should not be exposed in a production environment. WSDL data is potentially useful to an attacker in determining the methods exposed by a service and constructing well-formed requests. |