codeql/csharp/ql/src/Security Features/CWE-011/ASPNetDebug.ql at a594afb8284b69066e30d80d752e9de9e57d99d8 · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
/**
 * @name Creating an ASP.NET debug binary may reveal sensitive information
 * @description ASP.NET projects should not produce debug binaries when deploying to production as
 *              debug builds provide additional information useful to a malicious attacker.
 * @kind problem
 * @problem.severity warning
 * @security-severity 5.9
 * @precision very-high
 * @id cs/web/debug-binary
 * @tags security
 *       maintainability
 *       frameworks/asp.net
 *       external/cwe/cwe-11
 *       external/cwe/cwe-532
 */

import csharp
import semmle.code.asp.WebConfig

from SystemWebXMLElement web, XMLAttribute debugAttribute
where
  debugAttribute = web.getAChild("compilation").getAttribute("debug") and
  not debugAttribute.getValue().toLowerCase() = "false"
select debugAttribute, "The 'debug' flag is set for an ASP.NET configuration file."