Jaroslav Lobačevski

icon indicating a website link jarlob.github.io icon indicating an email [email protected]

icon location Security Researcher @ghsecuritylab

Results 89 comments of Jaroslav Lobačevski

Detect and recommend SSL/TLS best practices

Thanks for the link, I'll investigate it. I just quickly skimmed through it and find some statements confusing, like ".NET Framework applications should use the TLS version the operating system...

Warnings on deserialization where only one argument of two is tainted

Also consider the example: ```cs public T Deserialize(string xmlString) { var serializer = new XmlSerializer(typeof(T)); StringReader reader = new StringReader(xmlString); return (T) serial.Deserialize(reader); } ``` It is tricky to call...

nuget 5.2.1 Warning CS8032

I would rather say of #208 but there is no repro scenario provided.

nuget 5.2.1 Warning CS8032

Sorry it took me so long to look at the attached project. Unfortunately I cannot reproduce. Some thoughts why: 1. If this is really dup of #208 I think the...

No SCS0029 (XSS) on return from an action

Yes, the tests are disabled for this case, for example: https://github.com/security-code-scan/security-code-scan/blob/5fecefe194ce3b1519d52cd4b758e40a38bf5af6/SecurityCodeScan.Test/Tests/XssPreventionAnalyzerTest.cs#L123-L125 There are two reasons for this: 1. Technical. Current taint tracking engine doesn't support sink on return. It possible...

No SCS0029 (XSS) on return from an action

I'll keep the issue as a work item additionally to the `todo`. Ideally all todo in the code have to have corresponding issues. :)

Superseded web.config files (a cause for false positives)

Yes, web.config rules are more complex than currently supported. See for example https://weblogs.asp.net/jongalloway/10-things-asp-net-developers-should-know-about-web-config-inheritance-and-overrides Also there are xml transformations in place. Ideal solution probably should use https://github.com/nil4/dotnet-transform-xdt before analysis too.

False positive SCS0018 with DbContext inheritance

Thanks, I can reproduce it. It happens because any input from DbContext is always marked as tainted in [config](https://github.com/security-code-scan/security-code-scan/blob/ada966b20782dacb04b7d0411d45b956439d9823/SecurityCodeScan/Config/Main.yml#L108) which leads to this weird effect. It is not something easy...

Issues when using on bitbucket pipeline

Thank you for bringing it up. Since you are installing it globally I guess you have multiple options: 1. Install .net 5 2. If you have full dotnet framework installed...

ReflectionTypeLoadException on startup

Hi, I can reproduce it, but it is not clear to me why exactly it doesn't find the `DisposeAsync`:   | Name | Value | Type -- | -- | --...