Page 10 of 10               << Previous  1  2  3  4  5  6  7  8  9  10

Custom FxCop Rule - Do not store passwords in variables in code

It is not secure to store security credentials such as user Ids or passwords in code, especially in constants or literals where their values can be obtained by looking at an assembly's intermediate language. There is no definitive way to know if security credentials are stored in source code but we can infer this by looking at the names of the variables and constants used.

If you create a small VB or C# program with a few local or module level variables or literals, build the code, then look at the IL, you can plainly see the names of the variables. The following FxCop rule does just this by calling the Check method for each method and looking at the method's LocalList of variables. If any of them contain the word 'user' or 'password' in their name, we can infer they hold sensitive data. However, this is no guarantee, that's way this rule's certainty level is set lower.

C# code for custom FxCop rule:

//
// Description: 
//  Enforces the rule of not storing database credentials in module
//  level or local fields. This rule looks for variables and constants  
//  that contain the word "user" or "password".
//
//  Because the rule doesn't discern how these fields are used, the 
//  rule's certainty is set to a lower value.
//
using System;
using System.Collections.Generic;
using System.Text;
using Microsoft.Cci;
using Microsoft.FxCop.Sdk;
using Microsoft.FxCop.Sdk.Introspection;

public class DoNotKeepDBCredentialsInVariables : BaseMigrationIntrospectionRule
{
    public DoNotKeepDBCredentialsInVariables() : base("DoNotKeepDBCredentialsInVariables")
    {
    }

    public override ProblemCollection Check(Member member)
    {
        // Check Member Variables.
        if (ContainsUserOrPasswordInName(member.Name.Name))
        {
            // Found an offending member variable.
            base.Problems.Add(new Problem(base.GetResolution(member.Name.Name), 
                 member.Name.Name));
        }

        // Look at local variables.
        Method method = member as Method;
        if (method == null)
            return null;

        LocalList list = null;
        if (method.Instructions.Length > 0)
        {
            list = method.Instructions[0].Value as LocalList;
        }

        if (list != null)
        {
            for (int i = 0; i < list.Length; i++)
            {
                Local local = list[i];
                if (ContainsUserOrPasswordInName(local.Name.Name))
                {
                    // Found an offending local variable.
                    base.Problems.Add(new Problem(base.GetResolution(local.Name.Name), 
                       local.Name.Name));
                }
            }
        }
        return base.Problems;
    }

    private bool ContainsUserOrPasswordInName(string variableName)
    {
        variableName = variableName.ToUpper();

        if (variableName.Contains("USER") || variableName.Contains("PASSWORD"))
        {
            return true;
        }
        else
        {
            return false;
        }
    }
}

Rule definition in the XML rules file:

<Rule TypeName="DoNotKeepDBCredentialsInVariables" 
          Category="VBMigration" CheckId="AA1001">
    <Name>
        Do not store security credentials in variables
    </Name>
    <Description>
        Do not store security credentials in module level or local variables
    </Description>
    <Url>
        http://www.thescarms.com/
    </Url>
    <Resolution>
        Do not store security credentials in module level or local variables. Variables with the 
        word 'user' or 'password' in their name have been found. It is not secure to store
        credential information in variables.
    </Resolution>
    <MessageLevel Certainty="75"> 
        Warning
    </MessageLevel>
    <FixCategories>
        NonBreaking
    </FixCategories>
    <Owner />
<Rule>

Page 10 of 10               << Previous  1  2  3  4  5  6  7  8  9  10