csharp.dotnet.security.audit.open-directory-listing.open-directory-listing
semgrepAuthor
unknown
Download Count*
License
An open directory listing is potentially exposed, potentially revealing sensitive information to attackers.
Run Locally
Run in CI
Defintion
rules:
- id: open-directory-listing
message: An open directory listing is potentially exposed, potentially revealing
sensitive information to attackers.
severity: INFO
metadata:
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
category: security
cwe:
- "CWE-548: Exposure of Information Through Directory Listing"
owasp:
- A06:2017 - Security Misconfiguration
- A01:2021 - Broken Access Control
references:
- https://cwe.mitre.org/data/definitions/548.html
- https://owasp.org/Top10/A05_2021-Security_Misconfiguration/
- https://docs.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-7.0#directory-browsing
subcategory:
- vuln
technology:
- .net
- mvc
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- csharp
patterns:
- pattern-either:
- pattern: (IApplicationBuilder $APP).UseDirectoryBrowser(...);
- pattern: $BUILDER.Services.AddDirectoryBrowser(...);
- pattern-inside: |
public void Configure(...) {
...
}
Examples
open-directory-listing.cs
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
var builder = WebApplication.CreateBuilder(args);
// ruleid: open-directory-listing
builder.Services.AddDirectoryBrowser();
var fileProvider = new PhysicalFileProvider(Path.Combine(builder.Environment.WebRootPath, "data"));
var requestPath = "/data";
// ruleid: open-directory-listing
app.UseDirectoryBrowser(new DirectoryBrowserOptions
{
FileProvider = fileProvider,
RequestPath = requestPath
});
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
var builder = WebApplication.CreateBuilder(args);
// ok : open-directory-listing
builder.Services.AddRazorPages();
// ok : open-directory-listing
app.UseHttpsRedirection();
}
Short Link: https://sg.run/n0y1