C#-CWE-276¶

Incorrect Default Permissions (CWE-276): files or directories created with insecure default ACLs

Required inputs: CSharpAST

This rule detects **Incorrect Default Permissions (CWE-276)** where files or directories are created without explicitly setting restrictive access control (e.g. calling `File.SetAccessControl`). Such resources may inherit overly-permissive ACLs and become accessible to unauthorized users. **Insecure example**


void Vulnerable(string path)
{
    using var fs = File.Create(path);
    // No File.SetAccessControl call — file may have insecure default permissions.
}

**Secure example**


void Secure(string path)
{
    using var fs = File.Create(path);

    var fsec = new FileSecurity();
    fsec.SetOwner(new NTAccount(Environment.UserDomainName + "\" + Environment.UserName));
    fsec.SetAccessRuleProtection(true, false); // disable inheritance
    fsec.AddAccessRule(new FileSystemAccessRule(
        Environment.UserDomainName + "\" + Environment.UserName,
        FileSystemRights.FullControl,
        AccessControlType.Allow));

    File.SetAccessControl(path, fsec);
}

Possible Messages

Key	Text	Severity	Disabled
default_permissions	File created without setting secure access control.	None	False

Options

This rule shares the following common options: excludes, includes, justification_checker, post_processing, provider, severity
The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions
This rule has no individual options.

Axivion Suite 7.12.0

Navigation

C#-CWE-276¶