CS.INFORMATION_EXPOSURE.ATTR

Potential security information exposure

This checker flags potentially unintended logging or printing to the console of data fields specifically marked with the attribute [SecurityCritical] or [SecuritySafeCritical]. This checker will flag all instances of calls to the most widely used logging methods that report messages at error or critical error levels.

The checker is parametrizable. You can change the list of logging methods recognized by the checker by modifying the XML file that contains the checker description, located in the <install>\plugin\csharp directory.

Vulnerable code example 1

1   namespace Program
2   {
3       class Program
4       {
5           [SecurityCritical]
6           static int x = 10;
7           static void Main(string[] args)
8           {
9               Console.WriteLine(" Critical X " + x);
10          }
11      }
12  }

Klocwork reports a CS.INFORMATION_EXPOSURE.ATTR defect at line 11, indicating that data ‘x’ marked with the [SecurityCritical] attribute is printed to the console and can potentially result in the unintended exposure of sensitive data..

Vulnerable code example 2

1   using System.Security;
2   
3   namespace Program
4   {
5       class Program
6       {
7           [SecuritySafeCritical]
8           static int y = 10;
9           static void Main(string[] args)
10          {
11              logger.Error($"y = {y}");
12          }
13  
14          public static log4net.ILog logger; // initialized elsewhere
15      }
16  }

Klocwork reports a CS.INFORMATION_EXPOSURE.ATTR defect at line 11, indicating that data marked with the [SecuritySafeCritical] attribute is passed to a logging function that can potentially result in the unintended exposure of critical data.

Related checkers

Security training

Application security training materials provided by Secure Code Warrior.