CodeQL documentation

Exposure of private information

ID: cs/exposure-of-sensitive-information
Kind: path-problem
Severity: error
Precision: high
Tags:
   - security
   - external/cwe/cwe-359
Query suites:
   - csharp-code-scanning.qls
   - csharp-security-extended.qls
   - csharp-security-and-quality.qls

Click to see the query in the CodeQL repository

Private information that is stored in an external location may be more vulnerable because that location may not be protected by the same access controls as other parts of the system.

Examples include log files, cookies and plain text storage on disk.

Recommendation

Ensure that private information is only stored in secure data locations.

Example

The following example shows some private data - an address - being passed to a HTTP handler. This private information is then stored in a log file. This log file on disk may be accessible to users that do not normally have access to this private data.

using System.Text;
using System.Web;
using System.Web.Security;

public class PrivateInformationHandler : IHttpHandler
{

    public void ProcessRequest(HttpContext ctx)
    {
        string address = ctx.Request.QueryString["Address1"];
        logger.Info("User has address: " + address);
    }
}

References

  • Common Weakness Enumeration: CWE-359.