diff --git a/tracer/src/Datadog.Trace/.editorconfig b/tracer/src/Datadog.Trace/.editorconfig index f3ccd5441bab..5c2b5563f94b 100644 --- a/tracer/src/Datadog.Trace/.editorconfig +++ b/tracer/src/Datadog.Trace/.editorconfig @@ -66,3 +66,110 @@ dotnet_diagnostic.CA1870.severity = error # Use a cached SearchValues instance dotnet_diagnostic.CA1871.severity = error # Do not pass a nullable struct to ArgumentNullException.ThrowIfNull. dotnet_diagnostic.CA1872.severity = error # Prefer Convert.ToHexString over BitConverter.ToString +# Microsoft security analyzers +dotnet_diagnostic.CA2100.severity = error # Review SQL queries for security vulnerabilities +dotnet_diagnostic.CA2109.severity = error # Review visible event handlers +dotnet_diagnostic.CA2119.severity = error # Seal methods that satisfy private interfaces +dotnet_diagnostic.CA2153.severity = error # Avoid handling corrupted state exceptions +dotnet_diagnostic.CA2300.severity = error # Do not use insecure deserializer BinaryFormatter +dotnet_diagnostic.CA2301.severity = error # Do not call BinaryFormatter.Deserialize without first setting Binder +dotnet_diagnostic.CA2302.severity = error # Ensure BinaryFormatter.Binder is set before calling Deserialize +dotnet_diagnostic.CA2305.severity = error # Do not use insecure deserializer LosFormatter +dotnet_diagnostic.CA2310.severity = error # Do not use insecure deserializer NetDataContractSerializer +dotnet_diagnostic.CA2311.severity = error # Do not deserialize without first setting NetDataContractSerializer.Binder +dotnet_diagnostic.CA2312.severity = error # Ensure NetDataContractSerializer.Binder is set before deserializing +dotnet_diagnostic.CA2315.severity = error # Do not use insecure deserializer ObjectStateFormatter +dotnet_diagnostic.CA2321.severity = error # Do not deserialize with JavaScriptSerializer using SimpleTypeResolver +dotnet_diagnostic.CA2322.severity = error # Ensure JavaScriptSerializer is not initialized with SimpleTypeResolver +dotnet_diagnostic.CA2326.severity = error # Do not use TypeNameHandling values other than None +dotnet_diagnostic.CA2327.severity = error # Do not use insecure JsonSerializerSettings +dotnet_diagnostic.CA2328.severity = error # Ensure that JsonSerializerSettings are secure +dotnet_diagnostic.CA2329.severity = error # Do not deserialize with JsonSerializer using insecure configuration +dotnet_diagnostic.CA2330.severity = error # Ensure JsonSerializer has secure configuration when deserializing +dotnet_diagnostic.CA2350.severity = error # Ensure DataTable.ReadXml() input is trusted +dotnet_diagnostic.CA2351.severity = error # Ensure DataSet.ReadXml() input is trusted +dotnet_diagnostic.CA2352.severity = error # Unsafe DataSet or DataTable in serializable type +dotnet_diagnostic.CA2353.severity = error # Unsafe DataSet or DataTable in serializable type +dotnet_diagnostic.CA2354.severity = error # Unsafe DataSet or DataTable in deserialized object graph +dotnet_diagnostic.CA2355.severity = error # Unsafe DataSet or DataTable in deserialized object graph +dotnet_diagnostic.CA2356.severity = error # Unsafe DataSet or DataTable in web deserialized object graph +dotnet_diagnostic.CA2361.severity = error # Ensure autogenerated class with DataSet.ReadXml() not used with untrusted data +dotnet_diagnostic.CA2362.severity = error # Unsafe DataSet or DataTable in autogenerated serializable type +dotnet_diagnostic.CA3001.severity = error # Review code for SQL injection vulnerabilities +dotnet_diagnostic.CA3002.severity = error # Review code for XSS vulnerabilities +dotnet_diagnostic.CA3003.severity = error # Review code for file path injection vulnerabilities +dotnet_diagnostic.CA3004.severity = error # Review code for information disclosure vulnerabilities +dotnet_diagnostic.CA3006.severity = error # Review code for process command injection vulnerabilities +dotnet_diagnostic.CA3007.severity = error # Review code for open redirect vulnerabilities +dotnet_diagnostic.CA3008.severity = error # Review code for XPath injection vulnerabilities +dotnet_diagnostic.CA3009.severity = error # Review code for XML injection vulnerabilities +dotnet_diagnostic.CA3010.severity = error # Review code for XAML injection vulnerabilities +dotnet_diagnostic.CA3011.severity = error # Review code for DLL injection vulnerabilities +dotnet_diagnostic.CA3012.severity = error # Review code for regex injection vulnerabilities +dotnet_diagnostic.CA3061.severity = error # Do not add schema by URL +dotnet_diagnostic.CA3075.severity = error # Insecure DTD Processing +dotnet_diagnostic.CA3076.severity = error # Insecure XSLT Script Execution +dotnet_diagnostic.CA3077.severity = error # Insecure Processing in API Design, XML Document and XML Text Reader +dotnet_diagnostic.CA3147.severity = error # Mark verb handlers with ValidateAntiForgeryToken +dotnet_diagnostic.CA5350.severity = error # Do Not Use Weak Cryptographic Algorithms +dotnet_diagnostic.CA5351.severity = error # Do Not Use Broken Cryptographic Algorithms +dotnet_diagnostic.CA5358.severity = error # Do Not Use Unsafe Cipher Modes +dotnet_diagnostic.CA5359.severity = error # Do not disable certificate validation +dotnet_diagnostic.CA5360.severity = error # Do not call dangerous methods in deserialization +dotnet_diagnostic.CA5361.severity = error # Do not disable SChannel use of strong crypto +dotnet_diagnostic.CA5362.severity = error # Potential reference cycle in deserialized object graph +dotnet_diagnostic.CA5363.severity = error # Do not disable request validation +dotnet_diagnostic.CA5364.severity = error # Do not use deprecated security protocols +dotnet_diagnostic.CA5365.severity = error # Do Not Disable HTTP Header Checking +dotnet_diagnostic.CA5366.severity = error # Use XmlReader For DataSet Read XML +dotnet_diagnostic.CA5367.severity = error # Do Not Serialize Types With Pointer Fields +dotnet_diagnostic.CA5368.severity = error # Set ViewStateUserKey For Classes Derived From Page +dotnet_diagnostic.CA5369.severity = error # Use XmlReader for Deserialize +dotnet_diagnostic.CA5370.severity = error # Use XmlReader for validating reader +dotnet_diagnostic.CA5371.severity = error # Use XmlReader for schema read +dotnet_diagnostic.CA5372.severity = error # Use XmlReader for XPathDocument +dotnet_diagnostic.CA5373.severity = error # Do not use obsolete key derivation function +dotnet_diagnostic.CA5374.severity = error # Do Not Use XslTransform +dotnet_diagnostic.CA5375.severity = error # Do not use account shared access signature +dotnet_diagnostic.CA5376.severity = error # Use SharedAccessProtocol HttpsOnly +dotnet_diagnostic.CA5377.severity = error # Use container level access policy +dotnet_diagnostic.CA5378.severity = error # Do not disable ServicePointManagerSecurityProtocols +dotnet_diagnostic.CA5379.severity = error # Ensure key derivation function algorithm is sufficiently strong +dotnet_diagnostic.CA5380.severity = error # Do not add certificates to root store +dotnet_diagnostic.CA5381.severity = error # Ensure certificates are not added to root store +dotnet_diagnostic.CA5382.severity = error # Use secure cookies in ASP.NET Core +dotnet_diagnostic.CA5383.severity = error # Ensure use secure cookies in ASP.NET Core +dotnet_diagnostic.CA5384.severity = error # Do not use digital signature algorithm (DSA) +dotnet_diagnostic.CA5385.severity = error # Use RSA algorithm with sufficient key size +dotnet_diagnostic.CA5386.severity = error # Avoid hardcoding SecurityProtocolType value +dotnet_diagnostic.CA5387.severity = error # Do not use weak key derivation function with insufficient iteration count +dotnet_diagnostic.CA5388.severity = error # Ensure sufficient iteration count when using weak key derivation function +dotnet_diagnostic.CA5389.severity = error # Do not add archive item's path to the target file system path +dotnet_diagnostic.CA5390.severity = error # Do not hard-code encryption key +dotnet_diagnostic.CA5391.severity = error # Use antiforgery tokens in ASP.NET Core MVC controllers +# dotnet_diagnostic.CA5392.severity = error # Use DefaultDllImportSearchPaths attribute for P/Invokes - too many P/Invoke methods to fix +dotnet_diagnostic.CA5393.severity = error # Do not use unsafe DllImportSearchPath value +dotnet_diagnostic.CA5394.severity = error # Do not use insecure randomness +dotnet_diagnostic.CA5395.severity = error # Miss HttpVerb attribute for action methods +dotnet_diagnostic.CA5396.severity = error # Set HttpOnly to true for HttpCookie +dotnet_diagnostic.CA5397.severity = error # Do not use deprecated SslProtocols values +dotnet_diagnostic.CA5398.severity = error # Avoid hardcoded SslProtocols values +dotnet_diagnostic.CA5399.severity = error # Definitely disable HttpClient certificate revocation list check +dotnet_diagnostic.CA5400.severity = error # Ensure HttpClient certificate revocation list check is not disabled +dotnet_diagnostic.CA5401.severity = error # Do not use CreateEncryptor with non-default IV +dotnet_diagnostic.CA5402.severity = error # Use CreateEncryptor with the default IV +dotnet_diagnostic.CA5403.severity = error # Do not hard-code certificate +dotnet_diagnostic.CA5404.severity = error # Do not disable token validation checks +dotnet_diagnostic.CA5405.severity = error # Do not always skip token validation in delegates + +# Disable security analyzers for vendored third-party code +[Vendors/**/*.{cs,vb}] +dotnet_diagnostic.CA2300.severity = none +dotnet_diagnostic.CA2301.severity = none +dotnet_diagnostic.CA2302.severity = none +dotnet_diagnostic.CA5350.severity = none +dotnet_diagnostic.CA5351.severity = none +dotnet_diagnostic.CA5393.severity = none +dotnet_diagnostic.CA5394.severity = none +dotnet_diagnostic.CA5401.severity = none + diff --git a/tracer/src/Datadog.Trace/ClrProfiler/AutoInstrumentation/Testing/DotnetTest/DotnetCommon.cs b/tracer/src/Datadog.Trace/ClrProfiler/AutoInstrumentation/Testing/DotnetTest/DotnetCommon.cs index 0ba5292ed2dd..a6b63bb984a7 100644 --- a/tracer/src/Datadog.Trace/ClrProfiler/AutoInstrumentation/Testing/DotnetTest/DotnetCommon.cs +++ b/tracer/src/Datadog.Trace/ClrProfiler/AutoInstrumentation/Testing/DotnetTest/DotnetCommon.cs @@ -228,8 +228,11 @@ internal static bool TryGetCoveragePercentageFromXml(string filePath, out double } // Load Code Coverage from the file. - var xmlDoc = new XmlDocument(); - xmlDoc.Load(filePath); + var xmlDoc = new XmlDocument() { XmlResolver = null }; + using (var reader = XmlReader.Create(filePath, new XmlReaderSettings { DtdProcessing = DtdProcessing.Prohibit, XmlResolver = null })) + { + xmlDoc.Load(reader); + } if (xmlDoc.SelectSingleNode("/CoverageSession/Summary/@sequenceCoverage") is { } seqCovAttribute && double.TryParse(seqCovAttribute.Value, NumberStyles.AllowDecimalPoint, CultureInfo.InvariantCulture, out var seqCovValue)) diff --git a/tracer/src/Datadog.Trace/Debugger/RateLimiting/AdaptiveSampler.cs b/tracer/src/Datadog.Trace/Debugger/RateLimiting/AdaptiveSampler.cs index 8a2f6849d50b..bd58f2ac8299 100644 --- a/tracer/src/Datadog.Trace/Debugger/RateLimiting/AdaptiveSampler.cs +++ b/tracer/src/Datadog.Trace/Debugger/RateLimiting/AdaptiveSampler.cs @@ -131,7 +131,9 @@ public bool Drop() public double NextDouble() { +#pragma warning disable CA5394 // Intentional: non-security randomness for rate limiting return ThreadSafeRandom.Shared.NextDouble(); +#pragma warning restore CA5394 } private double ComputeIntervalAlpha(int lookback) diff --git a/tracer/src/Datadog.Trace/Iast/Aspects/System.Security.Cryptography/SymmetricAlgorithmAspect.cs b/tracer/src/Datadog.Trace/Iast/Aspects/System.Security.Cryptography/SymmetricAlgorithmAspect.cs index 030e907a0eb6..b6a0dad962e9 100644 --- a/tracer/src/Datadog.Trace/Iast/Aspects/System.Security.Cryptography/SymmetricAlgorithmAspect.cs +++ b/tracer/src/Datadog.Trace/Iast/Aspects/System.Security.Cryptography/SymmetricAlgorithmAspect.cs @@ -40,7 +40,9 @@ private static void ProcessCipherClassCreation(SymmetricAlgorithm target) [AspectCtorReplace("System.Security.Cryptography.DESCryptoServiceProvider::.ctor()")] public static DESCryptoServiceProvider InitDES() { +#pragma warning disable CA5351 // Intentional: IAST aspect replaces weak crypto constructor to detect its usage var target = new DESCryptoServiceProvider(); +#pragma warning restore CA5351 try { ProcessCipherClassCreation(target); @@ -60,7 +62,9 @@ public static DESCryptoServiceProvider InitDES() [AspectCtorReplace("System.Security.Cryptography.RC2CryptoServiceProvider::.ctor()")] public static RC2CryptoServiceProvider InitRC2() { +#pragma warning disable CA5351 // Intentional: IAST aspect replaces weak crypto constructor to detect its usage var target = new RC2CryptoServiceProvider(); +#pragma warning restore CA5351 try { ProcessCipherClassCreation(target); @@ -80,7 +84,9 @@ public static RC2CryptoServiceProvider InitRC2() [AspectCtorReplace("System.Security.Cryptography.TripleDESCryptoServiceProvider::.ctor()")] public static TripleDESCryptoServiceProvider InitTripleDES() { +#pragma warning disable CA5350 // Intentional: IAST aspect replaces weak crypto constructor to detect its usage var target = new TripleDESCryptoServiceProvider(); +#pragma warning restore CA5350 try { ProcessCipherClassCreation(target); diff --git a/tracer/src/Datadog.Trace/Util/Md5Helper.cs b/tracer/src/Datadog.Trace/Util/Md5Helper.cs index efb698e5d5a5..51e703d76853 100644 --- a/tracer/src/Datadog.Trace/Util/Md5Helper.cs +++ b/tracer/src/Datadog.Trace/Util/Md5Helper.cs @@ -9,6 +9,8 @@ using System.Security.Cryptography; using System.Text; +#pragma warning disable CA5351 // Intentional: this helper exists specifically to compute MD5 hashes + namespace Datadog.Trace.Util; internal static class Md5Helper diff --git a/tracer/src/Datadog.Trace/Util/RandomIdGenerator.Net6.cs b/tracer/src/Datadog.Trace/Util/RandomIdGenerator.Net6.cs index ff663a90c4d3..ca6cb45f7c0d 100644 --- a/tracer/src/Datadog.Trace/Util/RandomIdGenerator.Net6.cs +++ b/tracer/src/Datadog.Trace/Util/RandomIdGenerator.Net6.cs @@ -8,6 +8,8 @@ using System; using System.Runtime.InteropServices; +#pragma warning disable CA5394 // Intentional: non-security randomness for trace/span ID generation + namespace Datadog.Trace.Util; /// diff --git a/tracer/src/Datadog.Trace/Util/ThreadSafeRandom.cs b/tracer/src/Datadog.Trace/Util/ThreadSafeRandom.cs index dd495caff3c2..9948a77a2ad8 100644 --- a/tracer/src/Datadog.Trace/Util/ThreadSafeRandom.cs +++ b/tracer/src/Datadog.Trace/Util/ThreadSafeRandom.cs @@ -7,6 +7,8 @@ using System; +#pragma warning disable CA5394 // Intentional: non-security randomness for sampling and ID generation + namespace Datadog.Trace.Util; internal static class ThreadSafeRandom