如何解决在 SonarQube 的安全热点中收到警告,确保在此处安全控制
ClaimsPrincipal principal = new ClaimsPrincipal(identity);
控制权限是安全敏感的。它过去曾导致以下漏洞:
CVE-2018-12999
CVE-2018-10285
CVE-2017-7455
建议是这样的。 类 SecurityPrincipalDemo { class MyIdentity : IIdentity // 应该审查敏感的自定义 IIdentity 实现 { // ... }
class MyPrincipal : IPrincipal // Sensitive,custom IPrincipal implementations should be reviewed
{
// ...
}
[System.Security.Permissions.PrincipalPermission(SecurityAction.Demand,Role = "Administrators")] // Sensitive. The access restrictions enforced by this attribute should be reviewed.
static void CheckAdministrator()
{
WindowsIdentity MyIdentity = WindowsIdentity.GetCurrent(); // Sensitive
HttpContext.User = ...; // Sensitive: review all reference (set and get) to System.Web HttpContext.User
AppDomain domain = AppDomain.CurrentDomain;
domain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal); // Sensitive
MyIdentity identity = new MyIdentity(); // Sensitive
MyPrincipal MyPrincipal = new MyPrincipal(MyIdentity); // Sensitive
Thread.CurrentPrincipal = MyPrincipal; // Sensitive
domain.SetThreadPrincipal(MyPrincipal); // Sensitive
// All instantiation of PrincipalPermission should be reviewed.
PrincipalPermission principalPerm = new PrincipalPermission(null,"Administrators"); // Sensitive
principalPerm.Demand();
SecurityTokenHandler handler = ...;
// Sensitive: this creates an identity.
ReadOnlyCollection<ClaimsIdentity> identities = handler.Validatetoken(…);
}
// Sensitive: review how this function uses the identity and principal.
void modifyPrincipal(MyIdentity identity,MyPrincipal principal)
{
// ...
}
}
解决方法
没关系。我通过 delacraing private read only 来解决
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。