Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resolve remaining credscan bugs #31157

Merged
merged 1 commit into from
Mar 24, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
100 changes: 100 additions & 0 deletions .config/CredScanSuppressions.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
{
"tool": "Credential Scanner",
"suppressions": [
{
"placeholder": "aspnetcore",
"_justification": "This is a fake password used in test code."
},
{
"placeholder": "password",
"_justification": "This is a fake password used in test code."
Expand All @@ -25,6 +29,98 @@
"file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\testCert.pfx",
"_justification": "Legitimate UT certificate file with private key"
},
{
"file": "\\src\\DataProtection\\DataProtection\\test\\TestFiles\\TestCert1.pfx",
"_justification": "Legitimate UT certificate file with private key"
},
{
"file": "\\src\\DataProtection\\DataProtection\\test\\TestFiles\\TestCert2.pfx",
"_justification": "Legitimate UT certificate file with private key"
},
{
"file": "\\src\\DataProtection\\Extensions\\test\\TestFiles\\TestCert.pfx",
"_justification": "Legitimate UT certificate file with private key"
},
{
"file": "\\src\\DataProtection\\Extensions\\test\\TestFiles\\TestCert2.pfx",
"_justification": "Legitimate UT certificate file with private key"
},
{
"file": "\\src\\DataProtection\\Extensions\\test\\TestFiles\\TestCert3.pfx",
"_justification": "Legitimate UT certificate file with private key"
},
{
"file": "\\src\\DataProtection\\Extensions\\test\\TestFiles\\TestCert3WithoutPrivateKey.pfx",
"_justification": "Legitimate UT certificate file without private key"
},
{
"file": "\\src\\DataProtection\\Extensions\\test\\TestFiles\\TestCertWithoutPrivateKey.pfx",
"_justification": "Legitimate UT certificate file without private key"
},
{
"file": "\\src\\DefaultBuilder\\test\\Microsoft.AspNetCore.FunctionalTests\\testCert.pfx",
"_justification": "Legitimate UT certificate file with private key"
},
{
"file": "\\src\\Identity\\ApiAuthorization.IdentityServer\\test\\current.pfx",
"_justification": "Legitimate UT certificate file with private key"
},
{
"file": "\\src\\Identity\\ApiAuthorization.IdentityServer\\test\\expired.pfx",
"_justification": "Legitimate UT certificate file with private key"
},
{
"file": "\\src\\Identity\\ApiAuthorization.IdentityServer\\test\\future.pfx",
"_justification": "Legitimate UT certificate file with private key"
},
{
"file": "\\src\\Identity\\ApiAuthorization.IdentityServer\\test\\test.pfx",
"_justification": "Legitimate UT certificate file with private key"
},
{
"file": "\\src\\Middleware\\WebSockets\\test\\ConformanceTests\\AutobahnTestApp\\TestResources\\testCert.pfx",
"_justification": "Legitimate UT certificate file with private key"
},
{
"file": "\\src\\Security\\Authentication\\Negotiate\\test\\Negotiate.FunctionalTest\\negotiateAuthCert.pfx",
"_justification": "Legitimate UT certificate file with private key"
},
{
"file": "\\src\\Servers\\IIS\\tools\\TestCert.pfx",
"_justification": "Legitimate UT certificate file with private key"
},
{
"file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\aspnetdevcert.pfx",
"_justification": "Legitimate UT certificate file with private key"
},
{
"file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\eku.client.pfx",
"_justification": "Legitimate UT certificate file with private key"
},
{
"file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\eku.code_signing.pfx",
"_justification": "Legitimate UT certificate file with private key"
},
{
"file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\eku.multiple_usages.pfx",
"_justification": "Legitimate UT certificate file with private key"
},
{
"file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\eku.server.pfx",
"_justification": "Legitimate UT certificate file with private key"
},
{
"file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\no_extensions.pfx",
"_justification": "Legitimate UT certificate file with private key"
},
{
"file": "\\src\\SignalR\\clients\\ts\\FunctionalTests\\testCert.pfx",
"_justification": "Legitimate UT certificate file with private key"
},
{
"file": "\\src\\SignalR\\clients\\ts\\FunctionalTests\\testCertECC.pfx",
"_justification": "Legitimate UT certificate file with private key"
},
{
"file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\https-aspnet.key",
"_justification": "Legitimate key file used for testing"
Expand Down Expand Up @@ -52,6 +148,10 @@
{
"file": "\\src\\Servers\\Kestrel\\shared\\test\\TestCertificates\\https-rsa.key",
"_justification": "Legitimate key file used for testing"
},
{
"file": "\\src\\SignalR\\clients\\ts\\FunctionalTests\\node_modules\\https-proxy-agent\\node_modules\\agent-base\\test\\ssl-cert-snakeoil.key",
"_justification": "Legitimate key file used for testing"
}
]
}
48 changes: 24 additions & 24 deletions src/Http/Headers/test/CacheControlHeaderValueTest.cs
Original file line number Diff line number Diff line change
Expand Up @@ -115,21 +115,21 @@ public void ToString_UseResponseDirectiveValues_AllSerializedCorrectly()

cacheControl.NoCache = true;
Assert.Equal("no-cache", cacheControl.ToString());
cacheControl.NoCacheHeaders.Add("token1");
Assert.Equal("no-cache=\"token1\"", cacheControl.ToString());
cacheControl.NoCacheHeaders.Add("PLACEHOLDER1");
Assert.Equal("no-cache=\"PLACEHOLDER1\"", cacheControl.ToString());
cacheControl.Public = true;
Assert.Equal("public, no-cache=\"token1\"", cacheControl.ToString());
Assert.Equal("public, no-cache=\"PLACEHOLDER1\"", cacheControl.ToString());

cacheControl = new CacheControlHeaderValue();
cacheControl.Private = true;
Assert.Equal("private", cacheControl.ToString());
cacheControl.PrivateHeaders.Add("token2");
cacheControl.PrivateHeaders.Add("token3");
Assert.Equal("private=\"token2, token3\"", cacheControl.ToString());
cacheControl.PrivateHeaders.Add("PLACEHOLDER2");
cacheControl.PrivateHeaders.Add("PLACEHOLDER3");
Assert.Equal("private=\"PLACEHOLDER2, PLACEHOLDER3\"", cacheControl.ToString());
cacheControl.MustRevalidate = true;
Assert.Equal("must-revalidate, private=\"token2, token3\"", cacheControl.ToString());
Assert.Equal("must-revalidate, private=\"PLACEHOLDER2, PLACEHOLDER3\"", cacheControl.ToString());
cacheControl.ProxyRevalidate = true;
Assert.Equal("must-revalidate, proxy-revalidate, private=\"token2, token3\"", cacheControl.ToString());
Assert.Equal("must-revalidate, proxy-revalidate, private=\"PLACEHOLDER2, PLACEHOLDER3\"", cacheControl.ToString());
}

[Fact]
Expand Down Expand Up @@ -218,21 +218,21 @@ public void GetHashCode_CompareCollectionFieldsSet_MatchExpectation()
var cacheControl5 = new CacheControlHeaderValue();

cacheControl1.NoCache = true;
cacheControl1.NoCacheHeaders.Add("token2");
cacheControl1.NoCacheHeaders.Add("PLACEHOLDER2");

cacheControl2.NoCache = true;
cacheControl2.NoCacheHeaders.Add("token1");
cacheControl2.NoCacheHeaders.Add("token2");
cacheControl2.NoCacheHeaders.Add("PLACEHOLDER1");
cacheControl2.NoCacheHeaders.Add("PLACEHOLDER2");

CompareHashCodes(cacheControl1, cacheControl2, false);

cacheControl1.NoCacheHeaders.Add("token1");
cacheControl1.NoCacheHeaders.Add("PLACEHOLDER1");
CompareHashCodes(cacheControl1, cacheControl2, true);

// Since NoCache and Private generate different hash codes, even if NoCacheHeaders and PrivateHeaders
// have the same values, the hash code will be different.
cacheControl3.Private = true;
cacheControl3.PrivateHeaders.Add("token2");
cacheControl3.PrivateHeaders.Add("PLACEHOLDER2");
CompareHashCodes(cacheControl1, cacheControl3, false);


Expand Down Expand Up @@ -343,27 +343,27 @@ public void Equals_CompareCollectionFieldsSet_MatchExpectation()
var cacheControl6 = new CacheControlHeaderValue();

cacheControl1.NoCache = true;
cacheControl1.NoCacheHeaders.Add("token2");
cacheControl1.NoCacheHeaders.Add("PLACEHOLDER2");

Assert.False(cacheControl1.Equals(null), "Compare with 'null'");

cacheControl2.NoCache = true;
cacheControl2.NoCacheHeaders.Add("token1");
cacheControl2.NoCacheHeaders.Add("token2");
cacheControl2.NoCacheHeaders.Add("PLACEHOLDER1");
cacheControl2.NoCacheHeaders.Add("PLACEHOLDER2");

CompareValues(cacheControl1!, cacheControl2, false);

cacheControl1!.NoCacheHeaders.Add("token1");
cacheControl1!.NoCacheHeaders.Add("PLACEHOLDER1");
CompareValues(cacheControl1, cacheControl2, true);

// Since NoCache and Private generate different hash codes, even if NoCacheHeaders and PrivateHeaders
// have the same values, the hash code will be different.
cacheControl3.Private = true;
cacheControl3.PrivateHeaders.Add("token2");
cacheControl3.PrivateHeaders.Add("PLACEHOLDER2");
CompareValues(cacheControl1, cacheControl3, false);

cacheControl4.Private = true;
cacheControl4.PrivateHeaders.Add("token3");
cacheControl4.PrivateHeaders.Add("PLACEHOLDER3");
CompareValues(cacheControl3, cacheControl4, false);

cacheControl5.Extensions.Add(new NameValueHeaderValue("custom"));
Expand All @@ -386,9 +386,9 @@ public void TryParse_DifferentValidScenarios_AllReturnTrue()

expected = new CacheControlHeaderValue();
expected.NoCache = true;
expected.NoCacheHeaders.Add("token1");
expected.NoCacheHeaders.Add("token2");
CheckValidTryParse("no-cache=\"token1, token2\"", expected);
expected.NoCacheHeaders.Add("PLACEHOLDER1");
expected.NoCacheHeaders.Add("PLACEHOLDER2");
CheckValidTryParse("no-cache=\"PLACEHOLDER1, PLACEHOLDER2\"", expected);

expected = new CacheControlHeaderValue();
expected.NoStore = true;
Expand All @@ -406,12 +406,12 @@ public void TryParse_DifferentValidScenarios_AllReturnTrue()
expected = new CacheControlHeaderValue();
expected.Public = true;
expected.Private = true;
expected.PrivateHeaders.Add("token1");
expected.PrivateHeaders.Add("PLACEHOLDER1");
expected.MustRevalidate = true;
expected.ProxyRevalidate = true;
expected.Extensions.Add(new NameValueHeaderValue("c", "d"));
expected.Extensions.Add(new NameValueHeaderValue("a", "b"));
CheckValidTryParse(",public, , private=\"token1\", must-revalidate, c=d, proxy-revalidate, a=b", expected);
CheckValidTryParse(",public, , private=\"PLACEHOLDER1\", must-revalidate, c=d, proxy-revalidate, a=b", expected);

expected = new CacheControlHeaderValue();
expected.Private = true;
Expand Down
4 changes: 2 additions & 2 deletions src/Security/Authentication/test/FacebookTests.cs
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ protected override void RegisterAuth(AuthenticationBuilder services, Action<Face
protected override void ConfigureDefaults(FacebookOptions o)
{
o.AppId = "whatever";
o.AppSecret = "whatever";
o.AppSecret = "PLACEHOLDER";
o.SignInScheme = "auth1";
}

Expand All @@ -50,7 +50,7 @@ public async Task ThrowsIfAppIdMissing()
{
using var host = await CreateHost(
app => { },
services => services.AddAuthentication().AddFacebook(o => o.SignInScheme = "Whatever"),
services => services.AddAuthentication().AddFacebook(o => o.SignInScheme = "PLACEHOLDER"),
async context =>
{
await Assert.ThrowsAsync<ArgumentException>("AppId", () => context.ChallengeAsync("Facebook"));
Expand Down
4 changes: 2 additions & 2 deletions src/Security/Authentication/test/TwitterTests.cs
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,8 @@ protected override void RegisterAuth(AuthenticationBuilder services, Action<Twit

protected override void ConfigureDefaults(TwitterOptions o)
{
o.ConsumerKey = "whatever";
o.ConsumerSecret = "whatever";
o.ConsumerKey = "PLACEHOLDER";
o.ConsumerSecret = "PLACEHOLDER";
o.SignInScheme = "auth1";
}

Expand Down