HttpCookie incorrectly reports SG008/SG009 when the properties are defined in-line.

dotnet-security-guard / roslyn-security-guard

Roslyn analyzers that aim to help security audit on .NET applications.

https://dotnet-security-guard.github.io

GNU Lesser General Public License v3.0

208 stars 38 forks source link

HttpCookie incorrectly reports SG008/SG009 when the properties are defined in-line. #76

Closed SJMakin closed 7 years ago

SJMakin commented 7 years ago

Cause: Looks like VisitAssignment in InsecureCookieAnalyzer is back to front.

Reproduction test case:

var cSharpTest = @"
using System.Web;

namespace VulnerableApp
{
    class CookieCreation
    {
        static void TestCookie()
        {
            var a = new HttpCookie(""test"")
            {
                Secure = true,
                HttpOnly = true
            };
        }
    }
}
";
await VerifyCSharpDiagnostic(cSharpTest);