Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix S4507 FP: relax env.IsDevelopment(); sanitizer #5032

Closed
andrei-epure-sonarsource opened this issue Nov 8, 2021 · 0 comments · Fixed by #5240
Closed

Fix S4507 FP: relax env.IsDevelopment(); sanitizer #5032

andrei-epure-sonarsource opened this issue Nov 8, 2021 · 0 comments · Fixed by #5240
Assignees
@andrei-epure-sonarsource
Labels
Area: C# C# rules related issues. Area: Security Related to Vulnerability and Security Hotspot rules Type: False Positive Rule IS triggered when it shouldn't be.
Milestone
8.34

Comments

@andrei-epure-sonarsource
Copy link
Contributor

andrei-epure-sonarsource commented Nov 8, 2021
edited
Loading

S4507

Currently the following code will raise an issue:

   var isDevelopmentEnvironment = env.IsDevelopment();
   if (isDevelopmentEnvironment)
   {
        app.UseDeveloperExceptionPage(); // FP
    }

This is a minor security hotspot, so it's not worth investing in a complex dataflow capability.

We should reduce the level of FPs by checking if env.IsDevelopment() is invoked in the same method/class and not raise issues in that case.

Conversation: https://community.sonarsource.com/t/make-sure-this-debug-feature-is-deactivated-before-delivering-the-code-in-production/42336/4 (see internal as well)
@andrei-epure-sonarsource andrei-epure-sonarsource added Type: False Positive Rule IS triggered when it shouldn't be. Area: C# C# rules related issues. Area: Security Related to Vulnerability and Security Hotspot rules labels Nov 8, 2021
Merged
@csaba-sagi-sonarsource csaba-sagi-sonarsource added this to the 8.34 milestone Jan 7, 2022
@andrei-epure-sonarsource andrei-epure-sonarsource changed the title Reduce S4507 FP when env.IsDevelopment(); is used Fix S4507 FP: relax env.IsDevelopment(); sanitizer Jan 12, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andrei-epure-sonarsource andrei-epure-sonarsource

Labels
Area: C# C# rules related issues. Area: Security Related to Vulnerability and Security Hotspot rules Type: False Positive Rule IS triggered when it shouldn't be.
Projects
None yet
Milestone
8.34
Development

Successfully merging a pull request may close this issue.

S4507: relax env.IsDevelopment() validator check SonarSource/sonar-dotnet
3 participants
@andrei-epure-sonarsource @pierre-loup-tristant-sonarsource @csaba-sagi-sonarsource