Draft: Enhance C# semgrep rules
Problem
While updating the descriptions for semgrep's C# rules, a number of rules were identified for removal or enhancement.
Enhancement
- csharp/csrf/rule-Csrf.yml - Does not take into account the application possibly using https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.mvc.autovalidateantiforgerytokenattribute?view=aspnetcore-7.0
- csharp/deserialization/rule-InsecureDeserialization.yml - no way to fix?
- csharp/endpoint/rule-UnvalidatedRedirect.yml - should check pattern-not "..." hardcoded strings
- csharp/injection/rule-CommandInjection.yml - could be enhanced to check if
$PSINFO = new ProcessStartInfo(...)
is not$PSINFO = new ProcessStartInfo(\"...\")
- csharp/injection/rule-LdapInjection.yml - could be enhanced to check for assignment when using
UserPrincipal u = new UserPrincipal(AD);
and theAccountManagement
assembly - csharp/injection/rule-XXEInjection.yml - there are a lot more sinks than just these, I believe
- csharp/other/rule-UnsafeXSLTSettingUsed.yml - should be CWE-91 XML injection
- csharp/password/rule-PasswordComplexity.yml - check if actually matches against https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-configuration?view=aspnetcore-7.0#password
- csharp/xss/rule-Xss.yml - Not sure about all these sinks (AddHeader??). Also it is hard to give recommendations on how to fix the code when there are so many patterns being matched in a rule.
//cc @DavidNelsonGL @gitlab-org/secure/vulnerability-research @connorgilbert @theoretick
Edited by Isaac Dawson