Exposure of private information¶
ID: cs/exposure-of-sensitive-information
Kind: path-problem
Security severity: 6.5
Severity: error
Precision: high
Tags:
- security
- external/cwe/cwe-359
Query suites:
- csharp-code-scanning.qls
- csharp-security-extended.qls
- csharp-security-and-quality.qls
Click to see the query in the CodeQL repository
Private information that is stored in an external location may be more vulnerable because that location may not be protected by the same access controls as other parts of the system.
Examples include log files, cookies and plain text storage on disk.
Recommendation¶
Ensure that private information is only stored in secure data locations.
Example¶
The following example shows some private data - an address - being passed to a HTTP handler. This private information is then stored in a log file. This log file on disk may be accessible to users that do not normally have access to this private data.
using System.Text;
using System.Web;
using System.Web.Security;
public class PrivateInformationHandler : IHttpHandler
{
public void ProcessRequest(HttpContext ctx)
{
string address = ctx.Request.QueryString["Address1"];
logger.Info("User has address: " + address);
}
}
References¶
Common Weakness Enumeration: CWE-359.