Delivering code in production with debug features activated is security-sensitive. It has led in the past to the following vulnerabilities:
An application’s debug features enable developers to find bugs more easily and thus facilitate also the work of attackers. It often gives access to detailed information on both the system running the application and users.
There is a risk if you answered yes to any of those questions.
Do not enable debug features on production servers.
The .Net Core framework offers multiple features which help during debug.
Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage and
Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage are two of them. Make sure that those features are disabled in
production.
Use if (env.IsDevelopment()) to disable debug code.
This rule raises issues when the following .Net Core methods are called:
Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage,
Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage.
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
namespace mvcApp
{
public class Startup2
{
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
// Those calls are Sensitive because it seems that they will run in production
app.UseDeveloperExceptionPage(); // Sensitive
app.UseDatabaseErrorPage(); // Sensitive
}
}
}
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
namespace mvcApp
{
public class Startup2
{
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
// The following calls are ok because they are disabled in production
app.UseDeveloperExceptionPage(); // Compliant
app.UseDatabaseErrorPage(); // Compliant
}
}
}
}
This rule does not analyze configuration files. Make sure that debug mode is not enabled by default in those files.