-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathExposureOfPrivateInformation.cs
More file actions
69 lines (58 loc) · 1.72 KB
/
ExposureOfPrivateInformation.cs
File metadata and controls
69 lines (58 loc) · 1.72 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
using System.Web;
using System.Security.Cryptography;
using System.IO;
public class Person
{
public string getTelephone()
{
return "";
}
}
public class ExposureOfPrivateInformationHandler : IHttpHandler
{
public void ProcessRequest(HttpContext ctx)
{
// BAD: Setting a cookie value or values with private data.
ctx.Response.Cookies["MyCookie"].Value = ctx.Request.QueryString["postcode"];
Person p = new Person();
ctx.Response.Cookies["MyCookie"].Value = p.getTelephone();
// BAD: Logging private data
ILogger logger = new ILogger();
logger.Warn(p.getTelephone());
// BAD: Storing sensitive data in unencrypted local file
using (var writeStream = File.Open("telephones.txt", FileMode.Create))
{
var writer = new StreamWriter(writeStream);
writer.Write(p.getTelephone());
writer.Close();
}
// GOOD: Storing encrypted sensitive data
using (var writeStream = File.Open("telephones.txt", FileMode.Create))
{
var writer = new StreamWriter(new CryptoStream(writeStream, GetEncryptor(), CryptoStreamMode.Write));
writer.Write(p.getTelephone());
writer.Close();
}
// GOOD: Don't write these values to sensitive locations in the first place
}
public ICryptoTransform GetEncryptor(){
return null;
}
public bool IsReusable
{
get
{
return true;
}
}
System.Windows.Forms.TextBox postcode;
void OnButtonClicked()
{
ILogger logger = new ILogger();
logger.Warn(postcode.Text);
}
}
class ILogger
{
public void Warn(string message) { }
}