Comments (5)
ejohn20
commented on July 21, 2024
Confirmed bug. Add the IsLocalUrl to the acceptable cleanse methods for SEC0109.
from puma-scan.
ejohn20
commented on July 21, 2024
This will be addressed using a new code block analyzer for taint analysis within a block of code.
from puma-scan.
serbentraut
commented on July 21, 2024
Same bug appears to apply to SEC110, which is a Web Forms redirect.
from puma-scan.
ejohn20
commented on July 21, 2024
Perfect, we'll make sure both rules are fixable using the code suggestions. For now, you can suppress them by right clicking the warning and adding them to the suppression file.
from puma-scan.
ejohn20
commented on July 21, 2024
In VS2017 SEC0109 is being raised with the following example code, which pretty much mirrors what the documentation says to do to fix it.
Confirmed this is fixed in 2.0 using the new code block analyzer. The method must be invoked on the tainted variable inside the same code block. The analyzers are not smart enough to traces this through multiple method calls.
Same bug appears to apply to SEC110, which is a Web Forms redirect.
The issues was also corrected by the code block analyzer. This code does not get flagged in the 2.0+ version of the analyzers:
Uri uri;
string url = Request.QueryString["returnUrl"];
if (Uri.TryCreate(url, UriKind.Relative, out uri))
{
Response.Redirect(url);
}from puma-scan.
Related Issues (20)
- SEC0108 warning with recommended overload HOT 1
- Visual Studio 2019 support HOT 8
- integrate with sonarqube HOT 8
- How to create the nuget pacakage manually for this project HOT 1
- Taint Analysis HOT 4
- error when added as nuget package to some vulnerable application
- Flow sensitive analysis HOT 1
- Using RoslynSDKgenerator jar is not getting created HOT 6
- Package version was not found: 2.0.0 HOT 1
- XmlException when used in a project with PostSharp HOT 7
- Is it possible to update dependency on Microsoft.CodeAnalysis 2.9.0 HOT 4
- SEC0108 warning false reporting
- Invalid Certificate HOT 2
- 2.4.7 release on marketplace.visualstudio but no release nor commits here HOT 1
- jwt AuthorizeAttribute ignored HOT 1
- Only .net supported? HOT 1
- Visual Studio 2022 Support HOT 2
- SEC0120 False positivites when using policy with required authenticated user
- Supression Pragmas or way to turn off warnings ?
- I don't understand how to fix problems (SEC0112, SEC0032)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from puma-scan.