Skip to content

Fix credscan issues in aspnetcore #30337

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Mar 18, 2021
Merged

Fix credscan issues in aspnetcore #30337

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a8e91db
Fix credscan issues in DataProtection
Pilchie Feb 21, 2021
1476398
Fix credscan issues in Identity, except where they affect checked in …
Pilchie Feb 21, 2021
876440b
Updated scan
Pilchie Feb 25, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 9 additions & 9 deletions src/Components/test/E2ETest/Tests/WebAssemblyAuthenticationTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ public void AnonymousUser_GetsRedirectedToLogin_AndBackToOriginalProtectedResour
ClickAndNavigate(link, page);

var userName = $"{Guid.NewGuid()}@example.com";
var password = $"!Test.Password1$";
var password = $"[PLACEHOLDER]-1a";

FirstTimeRegister(userName, password);

Expand All @@ -98,7 +98,7 @@ public void CanPreserveApplicationState_DuringLogIn()
ClickAndNavigate(link, page);

var userName = $"{Guid.NewGuid()}@example.com";
var password = $"!Test.Password1$";
var password = $"[PLACEHOLDER]-1a";

FirstTimeRegister(userName, password);

Expand All @@ -118,7 +118,7 @@ public void CanShareUserRolesBetweenClientAndServer()
ClickAndNavigate(By.PartialLinkText("Log in"), "/Identity/Account/Login");

var userName = $"{Guid.NewGuid()}@example.com";
var password = $"!Test.Password1$";
var password = $"[PLACEHOLDER]-1a";
FirstTimeRegister(userName, password);

ClickAndNavigate(By.PartialLinkText("Make admin"), "/new-admin");
Expand All @@ -143,7 +143,7 @@ public void AnonymousUser_CanRegister_AndGetLoggedIn()
ClickAndNavigate(By.PartialLinkText("Register"), "/Identity/Account/Register");

var userName = $"{Guid.NewGuid()}@example.com";
var password = $"!Test.Password1$";
var password = $"[PLACEHOLDER]-1a";
RegisterCore(userName, password);
CompleteProfileDetails();

Expand All @@ -160,7 +160,7 @@ public void AuthenticatedUser_ProfileIncludesDetails_And_AccessToken()
ClickAndNavigate(By.PartialLinkText("User"), "/Identity/Account/Login");

var userName = $"{Guid.NewGuid()}@example.com";
var password = $"!Test.Password1$";
var password = $"[PLACEHOLDER]-1a";
FirstTimeRegister(userName, password);

Browser.Contains("user", () => Browser.Url);
Expand Down Expand Up @@ -215,7 +215,7 @@ public void AuthenticatedUser_CanGoToProfile()
ClickAndNavigate(By.PartialLinkText("Register"), "/Identity/Account/Register");

var userName = $"{Guid.NewGuid()}@example.com";
var password = $"!Test.Password1$";
var password = $"[PLACEHOLDER]-1a";
RegisterCore(userName, password);
CompleteProfileDetails();

Expand Down Expand Up @@ -257,7 +257,7 @@ public void NewlyRegisteredUser_CanLogOut()
ClickAndNavigate(By.PartialLinkText("Register"), "/Identity/Account/Register");

var userName = $"{Guid.NewGuid()}@example.com";
var password = $"!Test.Password1$";
var password = $"[PLACEHOLDER]-1a";
RegisterCore(userName, password);
CompleteProfileDetails();

Expand All @@ -270,7 +270,7 @@ public void AlreadyRegisteredUser_CanLogOut()
ClickAndNavigate(By.PartialLinkText("Register"), "/Identity/Account/Register");

var userName = $"{Guid.NewGuid()}@example.com";
var password = $"!Test.Password1$";
var password = $"[PLACEHOLDER]-1a";
RegisterCore(userName, password);
CompleteProfileDetails();

Expand All @@ -296,7 +296,7 @@ public void LoggedInUser_OnTheIdP_CanLogInSilently()
ClickAndNavigate(By.PartialLinkText("Register"), "/Identity/Account/Register");

var userName = $"{Guid.NewGuid()}@example.com";
var password = $"!Test.Password1$";
var password = $"[PLACEHOLDER]-1a";
RegisterCore(userName, password);
CompleteProfileDetails();
ValidateLoggedIn(userName);
Expand Down
8 changes: 5 additions & 3 deletions ...ticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.

using System;
using System.Text;
using System.Xml.Linq;
using Microsoft.AspNetCore.DataProtection.KeyManagement;
using Microsoft.Extensions.Logging.Abstractions;
Expand All @@ -15,20 +16,21 @@ public class AuthenticatedEncryptorDescriptorDeserializerTests
public void ImportFromXml_Cbc_CreatesAppropriateDescriptor()
{
// Arrange
var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
var descriptor = new AuthenticatedEncryptorDescriptor(
new AuthenticatedEncryptorConfiguration()
{
EncryptionAlgorithm = EncryptionAlgorithm.AES_192_CBC,
ValidationAlgorithm = ValidationAlgorithm.HMACSHA512
},
"k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret());
masterKey.ToSecret());
var control = CreateEncryptorInstanceFromDescriptor(descriptor);

const string xml = @"
var xml = $@"
<encryptor version='1' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
<encryption algorithm='AES_192_CBC' />
<validation algorithm='HMACSHA512' />
<masterKey enc:requiresEncryption='true'>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</masterKey>
<masterKey enc:requiresEncryption='true'>{masterKey}</masterKey>
</encryptor>";
var deserializedDescriptor = new AuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml));
var test = CreateEncryptorInstanceFromDescriptor(deserializedDescriptor as AuthenticatedEncryptorDescriptor);
Expand Down
17 changes: 9 additions & 8 deletions .../test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
using System;
using System.Globalization;
using System.Security.Cryptography;
using System.Text;
using System.Text.RegularExpressions;
using Microsoft.AspNetCore.Cryptography.Cng;
using Microsoft.AspNetCore.Cryptography.SafeHandles;
Expand Down Expand Up @@ -118,20 +119,20 @@ public void CreateAuthenticatedEncryptor_RoundTripsData_ManagedImplementation(
public void ExportToXml_ProducesCorrectPayload_Cbc()
{
// Arrange
var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
var descriptor = CreateDescriptor(EncryptionAlgorithm.AES_192_CBC, ValidationAlgorithm.HMACSHA512, masterKey);
var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
var descriptor = CreateDescriptor(EncryptionAlgorithm.AES_192_CBC, ValidationAlgorithm.HMACSHA512, masterKey.ToSecret());

// Act
var retVal = descriptor.ExportToXml();

// Assert
Assert.Equal(typeof(AuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
const string expectedXml = @"
var expectedXml = $@"
<descriptor>
<encryption algorithm='AES_192_CBC' />
<validation algorithm='HMACSHA512' />
<masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
<value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
<value>{masterKey}</value>
</masterKey>
</descriptor>";
XmlAssert.Equal(expectedXml, retVal.SerializedDescriptorElement);
Expand All @@ -141,20 +142,20 @@ public void ExportToXml_ProducesCorrectPayload_Cbc()
public void ExportToXml_ProducesCorrectPayload_Gcm()
{
// Arrange
var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
var descriptor = CreateDescriptor(EncryptionAlgorithm.AES_192_GCM, ValidationAlgorithm.HMACSHA512, masterKey);
var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
var descriptor = CreateDescriptor(EncryptionAlgorithm.AES_192_GCM, ValidationAlgorithm.HMACSHA512, masterKey.ToSecret());

// Act
var retVal = descriptor.ExportToXml();

// Assert
Assert.Equal(typeof(AuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
const string expectedXml = @"
var expectedXml = $@"
<descriptor>
<encryption algorithm='AES_192_GCM' />
<!-- some comment here -->
<masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
<value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
<value>{masterKey}</value>
</masterKey>
</descriptor>";
XmlAssert.Equal(expectedXml, retVal.SerializedDescriptorElement);
Expand Down
8 changes: 5 additions & 3 deletions ...dEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.

using System;
using System.Text;
using System.Xml.Linq;
using Microsoft.AspNetCore.Cryptography;
using Microsoft.AspNetCore.DataProtection.KeyManagement;
Expand All @@ -18,6 +19,7 @@ public class CngCbcAuthenticatedEncryptorDescriptorDeserializerTests
[ConditionalRunTestOnlyOnWindows]
public void ImportFromXml_CreatesAppropriateDescriptor()
{
var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
// Arrange
var descriptor = new CngCbcAuthenticatedEncryptorDescriptor(
new CngCbcAuthenticatedEncryptorConfiguration()
Expand All @@ -28,14 +30,14 @@ public void ImportFromXml_CreatesAppropriateDescriptor()
HashAlgorithm = Constants.BCRYPT_SHA512_ALGORITHM,
HashAlgorithmProvider = null
},
"k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret());
masterKey.ToSecret());
var control = CreateEncryptorInstanceFromDescriptor(descriptor);

const string xml = @"
var xml = $@"
<descriptor version='1' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
<encryption algorithm='AES' keyLength='192' />
<hash algorithm='SHA512' />
<masterKey enc:requiresEncryption='true'>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</masterKey>
<masterKey enc:requiresEncryption='true'>{masterKey}</masterKey>
</descriptor>";
var deserializedDescriptor = new CngCbcAuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml));
var test = CreateEncryptorInstanceFromDescriptor(deserializedDescriptor as CngCbcAuthenticatedEncryptorDescriptor);
Expand Down
17 changes: 9 additions & 8 deletions ...AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.

using System;
using System.Text;
using Xunit;

namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
Expand All @@ -12,27 +13,27 @@ public class CngCbcAuthenticatedEncryptorDescriptorTests
public void ExportToXml_WithProviders_ProducesCorrectPayload()
{
// Arrange
var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
var descriptor = new CngCbcAuthenticatedEncryptorDescriptor(new CngCbcAuthenticatedEncryptorConfiguration()
{
EncryptionAlgorithm = "enc-alg",
EncryptionAlgorithmKeySize = 2048,
EncryptionAlgorithmProvider = "enc-alg-prov",
HashAlgorithm = "hash-alg",
HashAlgorithmProvider = "hash-alg-prov"
}, masterKey);
}, masterKey.ToSecret());

// Act
var retVal = descriptor.ExportToXml();

// Assert
Assert.Equal(typeof(CngCbcAuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
const string expectedXml = @"
var expectedXml = $@"
<descriptor>
<encryption algorithm='enc-alg' keyLength='2048' provider='enc-alg-prov' />
<hash algorithm='hash-alg' provider='hash-alg-prov' />
<masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
<value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
<value>{masterKey}</value>
</masterKey>
</descriptor>";
XmlAssert.Equal(expectedXml, retVal.SerializedDescriptorElement);
Expand All @@ -42,25 +43,25 @@ public void ExportToXml_WithProviders_ProducesCorrectPayload()
public void ExportToXml_WithoutProviders_ProducesCorrectPayload()
{
// Arrange
var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
var descriptor = new CngCbcAuthenticatedEncryptorDescriptor(new CngCbcAuthenticatedEncryptorConfiguration()
{
EncryptionAlgorithm = "enc-alg",
EncryptionAlgorithmKeySize = 2048,
HashAlgorithm = "hash-alg"
}, masterKey);
}, masterKey.ToSecret());

// Act
var retVal = descriptor.ExportToXml();

// Assert
Assert.Equal(typeof(CngCbcAuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
const string expectedXml = @"
var expectedXml = $@"
<descriptor>
<encryption algorithm='enc-alg' keyLength='2048' />
<hash algorithm='hash-alg' />
<masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
<value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
<value>{masterKey}</value>
</masterKey>
</descriptor>";
XmlAssert.Equal(expectedXml, retVal.SerializedDescriptorElement);
Expand Down
8 changes: 5 additions & 3 deletions ...dEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.

using System;
using System.Text;
using System.Xml.Linq;
using Microsoft.AspNetCore.Cryptography;
using Microsoft.AspNetCore.DataProtection.KeyManagement;
Expand All @@ -19,20 +20,21 @@ public class CngGcmAuthenticatedEncryptorDescriptorDeserializerTests
public void ImportFromXml_CreatesAppropriateDescriptor()
{
// Arrange
var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
var descriptor = new CngGcmAuthenticatedEncryptorDescriptor(
new CngGcmAuthenticatedEncryptorConfiguration()
{
EncryptionAlgorithm = Constants.BCRYPT_AES_ALGORITHM,
EncryptionAlgorithmKeySize = 192,
EncryptionAlgorithmProvider = null
},
"k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret());
masterKey.ToSecret());
var control = CreateEncryptorInstanceFromDescriptor(descriptor);

const string xml = @"
var xml = $@"
<descriptor version='1' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
<encryption algorithm='AES' keyLength='192' />
<masterKey enc:requiresEncryption='true'>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</masterKey>
<masterKey enc:requiresEncryption='true'>{masterKey}</masterKey>
</descriptor>";
var deserializedDescriptor = new CngGcmAuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml));
var test = CreateEncryptorInstanceFromDescriptor(deserializedDescriptor as CngGcmAuthenticatedEncryptorDescriptor);
Expand Down
17 changes: 9 additions & 8 deletions ...AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.

using System;
using System.Text;
using Xunit;

namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
Expand All @@ -12,24 +13,24 @@ public class CngGcmAuthenticatedEncryptorDescriptorTests
public void ExportToXml_WithProviders_ProducesCorrectPayload()
{
// Arrange
var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
var descriptor = new CngGcmAuthenticatedEncryptorDescriptor(new CngGcmAuthenticatedEncryptorConfiguration()
{
EncryptionAlgorithm = "enc-alg",
EncryptionAlgorithmKeySize = 2048,
EncryptionAlgorithmProvider = "enc-alg-prov"
}, masterKey);
}, masterKey.ToSecret());

// Act
var retVal = descriptor.ExportToXml();

// Assert
Assert.Equal(typeof(CngGcmAuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
const string expectedXml = @"
var expectedXml = $@"
<descriptor>
<encryption algorithm='enc-alg' keyLength='2048' provider='enc-alg-prov' />
<masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
<value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
<value>{masterKey}</value>
</masterKey>
</descriptor>";
XmlAssert.Equal(expectedXml, retVal.SerializedDescriptorElement);
Expand All @@ -39,23 +40,23 @@ public void ExportToXml_WithProviders_ProducesCorrectPayload()
public void ExportToXml_WithoutProviders_ProducesCorrectPayload()
{
// Arrange
var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
var descriptor = new CngGcmAuthenticatedEncryptorDescriptor(new CngGcmAuthenticatedEncryptorConfiguration()
{
EncryptionAlgorithm = "enc-alg",
EncryptionAlgorithmKeySize = 2048
}, masterKey);
}, masterKey.ToSecret());

// Act
var retVal = descriptor.ExportToXml();

// Assert
Assert.Equal(typeof(CngGcmAuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
const string expectedXml = @"
var expectedXml = $@"
<descriptor>
<encryption algorithm='enc-alg' keyLength='2048' />
<masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
<value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
<value>{masterKey}</value>
</masterKey>
</descriptor>";
XmlAssert.Equal(expectedXml, retVal.SerializedDescriptorElement);
Expand Down
Loading