#csharp
Rulesets (3)
Rules (80)
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepThis code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepDetected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.
semgrepSSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.
semgrepSSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.
semgrepSSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.
semgrepThe web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name).
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepXPath queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an XPath Injection exploitation.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepThe software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
semgrepLDAP queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an arbitrary LDAP query execution.
semgrepMass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.
semgrepA misconfigured lockout mechanism allows an attacker to execute brute-force attacks. Account lockout must be correctly configured and enabled to prevent these attacks.
semgrepAn open directory listing is potentially exposed, potentially revealing sensitive information to attackers.
semgrep$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls.
semgrepUser-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.
semgrepUsage of deprecated cipher algorithm detected. Use Aes or ChaCha20Poly1305 instead.
semgrepUsage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305.
semgrepYou are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.
semgrepYou are using the outdated PKCS#1 v1.5 encryption padding for your RSA key. Use the OAEP padding instead.
semgrepString interpolation in log message obscures the distinction between variables and the log message. Use structured logging instead, where the variables are passed as additional arguments and the interpolation is performed by the logging library. This reduces the possibility of log injection and makes it easier to search through logs.
semgrepDouble.Epsilon is defined by .NET as the smallest value that can be added to or subtracted from a zero-value Double. It is unsuitable for equality comparisons of non-zero Double values. Furthermore, the value of Double.Epsilon is framework and processor architecture dependent. Wherever possible, developers should prefer the framework Equals() method over custom equality implementations.
semgrepPotential inter-process write of RegionInfo $RI via $PIPESTREAM $P that was instantiated with a two-character culture code $REGION. Per .NET documentation, if you want to persist a RegionInfo object or communicate it between processes, you should instantiate it by using a full culture name rather than a two-letter ISO region code.
semgrepSending the trusted CA list increases the size of the handshake request and can leak system configuration information.
semgrepThe TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used.
semgrepValidating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead.
semgrepAccepting unsigned security tokens as valid security tokens allows an attacker to remove its signature and potentially forge an identity. As a fix, set RequireSignedTokens to be true.
semgrepString argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal.
semgrepTypeNameHandling $TYPEHANDLER is unsafe and can lead to arbitrary code execution in the context of the process. Use a custom SerializationBinder whenever using a setting other than TypeNameHandling.None.
semgrepA query string parameter may contain a URL value that could cause the web application to redirect the request to a malicious website controlled by an attacker. Make sure to sanitize this parameter sufficiently.
semgrepStacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.
semgrepXmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.
semgrepXmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.
semgrepXmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
semgrepAnonymous access shouldn't be allowed unless explicit by design. Access control checks are missing and potentially can be bypassed. This finding violates the principle of least privilege or deny by default, where access should only be permitted for a specific set of roles or conforms to a custom policy or users.
semgrepThe HSTS HTTP response security header is missing, allowing interaction and communication to be sent over the insecure HTTP protocol.