mobb-dev · corradot12 · Jan 16, 2022 · mobbjon · Jan 17, 2022 · mobbjon
diff --git a/semgrep/csharp/.NET/http_only/csharp_httpOnly_true_for_httpCookie.cs b/semgrep/csharp/.NET/http_only/csharp_httpOnly_true_for_httpCookie.cs
@@ -0,0 +1,25 @@
+using System.Web;
+
+// Example of bad usage.
+using System.Web;
+
+class ExampleClass
+{
+    public void ExampleMethod()
+    {
+        HttpCookie httpCookie = new HttpCookie("cookieName");
+        httpCookie.HttpOnly = false;
+    }
+}
+
+// Solution with the fix applied.
+using System.Web;
+
+class ExampleClass
+{
+    public void ExampleMethod()
+    {
+        HttpCookie httpCookie = new HttpCookie("cookieName");
+        httpCookie.HttpOnly = true;
+    }
+}
diff --git a/semgrep/csharp/.NET/http_only/csharp_httpOnly_true_for_httpCookie.yml b/semgrep/csharp/.NET/http_only/csharp_httpOnly_true_for_httpCookie.yml
@@ -0,0 +1,19 @@
+rules:
+  - id: csharp_httpOnly_true_for_httpCookie
+    languages:
+      - csharp
+    message: |
+      Security threat detected when allowing untrusted tokens to make it through validation. 
+    patterns:
+      - pattern-inside: |
+          using System.Web;          
+          ...
+      - pattern-inside: |
+          HttpCookie $HTTPCOOKIE = new HttpCookie($X);
+          ...
+      - pattern: |
+          $HTTPCOOKIE.HttpOnly = false;
+    fix: $HTTPCOOKIE.HttpOnly = true;
+    severity: WARNING
+    metadata:
+      references: https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca5404
diff --git a/semgrep/csharp/.NET/token_validation/csharp_token_audience_validation_check_enabled.yaml b/semgrep/csharp/.NET/token_validation/csharp_token_audience_validation_check_enabled.yaml
@@ -0,0 +1,19 @@
+rules:
+  - id: token_audience_validation_check_enabled
+    languages:
+      - csharp
+    message: |
+      The tokens allowed do not meet the minimum security recommendations! 
+    patterns:
+      - pattern-inside:
+          using Microsoft.IdentityModel.Tokens;
+          ...
+      - pattern-inside:
+          TokenValidationParameters $PARAMETERS = new TokenValidationParameters();
+          ... 
+      - pattern:
+          $PARAMETERS.ValidateAudience = false;
+    fix: $PARAMETERS.ValidateAudience = true;
+    severity: WARNING
+    metadata:
+      references: https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca5404
diff --git a/semgrep/csharp/.NET/token_validation/csharp_token_issuer_validation_check_enabled.yaml b/semgrep/csharp/.NET/token_validation/csharp_token_issuer_validation_check_enabled.yaml
@@ -0,0 +1,16 @@
+rules:
+  - id: token_issuer_validation_check_enabled
+    languages:
+      - csharp
+    message: |
+      Insecure token validation. 
+    patterns:
+      - pattern-inside:
+          using Microsoft.IdentityModel.Tokens;
+          ...
+      - pattern-inside:
+          TokenValidationParameters $PARAMETERS = new TokenValidationParameters();
+          ... 
+      - pattern:
+          $PARAMETERS.ValidateIssuer = false;
+    severity: WARNING
diff --git a/semgrep/csharp/.NET/token_validation/csharp_token_lifetime_validation_check_enabled.yaml b/semgrep/csharp/.NET/token_validation/csharp_token_lifetime_validation_check_enabled.yaml
@@ -0,0 +1,19 @@
+rules:
+  - id: token_lifetime_validation_check_enabled
+    languages:
+      - csharp
+    message: |
+      Insecure token validation. 
+    patterns:
+      - pattern-inside:
+          using Microsoft.IdentityModel.Tokens;
+          ...
+      - pattern-inside:
+          TokenValidationParameters $PARAMETERS = new TokenValidationParameters();
+          ... 
+      - pattern:
+          $PARAMETERS.ValidateLifetime = false;
+    fix: $PARAMETERS.ValidateLifetime = true;
+    severity: WARNING
+    metadata:
+      references: https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca5404
diff --git a/...p/.NET/token_validation/csharp_token_reqire_expiration_time_validation_check_enabled.yaml b/...p/.NET/token_validation/csharp_token_reqire_expiration_time_validation_check_enabled.yaml
@@ -0,0 +1,16 @@
+rules:
+  - id: token_audience_validation_check_enabled
+    languages:
+      - csharp
+    message: |
+      The tokens allowed do not meet the minimum security recommendations! 
+    patterns:
+      - pattern-inside:
+          using Microsoft.IdentityModel.Tokens;
+          ...
+      - pattern-inside:
+          TokenValidationParameters $PARAMETERS = new TokenValidationParameters();
+          ... 
+      - pattern:
+          $PARAMETERS.RequireExpirationTime = false;
+    severity: WARNING
diff --git a/semgrep/csharp/.NET/token_validation/csharp_token_validation_checks.cs b/semgrep/csharp/.NET/token_validation/csharp_token_validation_checks.cs
@@ -0,0 +1,28 @@
+using System;
+using Microsoft.IdentityModel.Tokens;
+
+// Example of bad usage.
+class BadUsageExample
+{
+    public void ExampleMethod()
+    {
+        TokenValidationParameters parameters = new TokenValidationParameters();
+        parameters.RequireExpirationTime = false;
+        parameters.ValidateAudience = false;
+        parameters.ValidateIssuer = false;
+        parameters.ValidateLifetime = false;
+    }
+}
+
+// Solution with the fix applied.
+class SolutionFixForExampleAbove
+{
+    public void SolutionMethod()
+    {
+        TokenValidationParameters parameters = new TokenValidationParameters();
+        parameters.RequireExpirationTime = true;
+        parameters.ValidateAudience = true;
+        parameters.ValidateIssuer = true;
+        parameters.ValidateLifetime = true;
+    }
+}