CS.INFORMATION_EXPOSURE.ALL

Potential security information exposure

This checker flags potentially unintended logging or printing to the console of any program data. This checker will flag all instances of calls to the most widely used logging methods that report messages at error or critical error levels. This is an information level checker that is designed for those applications that require no internal data logging.

The checker is parametrizable. You can change the list of logging methods recognized by the checker by modifying the XML file that contains the checker description, located in the <install>\plugin\csharp directory.

Vulnerable code example 1

Copy 
   namespace Program
   {
       class Program
       {
           static int x = 10;
           static void Main(string[] args)
           {
               Console.WriteLine("internal data X: " + x);
           }
      }
  }

Klocwork reports a CS.INFORMATION_EXPOSURE.ALL defect at line 8, indicating that internal data is passed to a console printing method that can potentially result in the unintended exposure of sensitive data.

Vulnerable code example 2

Copy 
   namespace Program
   {
       class Program
       {
           static int x = 10;
           static void Main(string[] args)
           {
               int address = 20;
               log4net.ILog log = log4net.LogManager.GetLogger("application.log");
              log.Error("Application not started :" + address);
          }
      }
  }

Klocwork reports a CS.INFORMATION_EXPOSURE.ALL defect at line 10, indicating that internal data is passed to an error-level logging method that can potentially result in the unintended exposure of sensitive data.

Related checkers

External guidance

Security training

Application security training materials provided by Secure Code Warrior.