@runsec/mcp 1.0.35 → 1.0.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (83) hide show
  1. package/dist/data/.rag-cache.json +1 -0
  2. package/dist/data/skills/_exploit_overrides.json +16 -0
  3. package/dist/data/skills/advanced-agent-cloud/index.md +94 -0
  4. package/dist/data/skills/advanced-agent-cloud/patterns.md +46 -0
  5. package/dist/data/skills/advanced-agent-cloud/skill.json +38 -0
  6. package/dist/data/skills/app-logic/index.md +69 -0
  7. package/dist/data/skills/app-logic/patterns.md +23 -0
  8. package/dist/data/skills/app-logic/skill.json +24 -0
  9. package/dist/data/skills/auth-keycloak/index.md +69 -0
  10. package/dist/data/skills/auth-keycloak/patterns.md +46 -0
  11. package/dist/data/skills/auth-keycloak/skill.json +51 -0
  12. package/dist/data/skills/browser-agent/index.md +58 -0
  13. package/dist/data/skills/browser-agent/patterns.md +15 -0
  14. package/dist/data/skills/browser-agent/skill.json +24 -0
  15. package/dist/data/skills/cloud-secrets/index.md +66 -0
  16. package/dist/data/skills/cloud-secrets/patterns.md +19 -0
  17. package/dist/data/skills/cloud-secrets/skill.json +28 -0
  18. package/dist/data/skills/csharp-dotnet/index.md +103 -0
  19. package/dist/data/skills/csharp-dotnet/patterns.md +270 -0
  20. package/dist/data/skills/csharp-dotnet/skill.json +27 -0
  21. package/dist/data/skills/desktop-vsto-suite/index.md +202 -0
  22. package/dist/data/skills/desktop-vsto-suite/patterns.md +154 -0
  23. package/dist/data/skills/desktop-vsto-suite/skill.json +26 -0
  24. package/dist/data/skills/devops-security/index.md +64 -0
  25. package/dist/data/skills/devops-security/patterns.md +23 -0
  26. package/dist/data/skills/devops-security/skill.json +42 -0
  27. package/dist/data/skills/domain-access-management/index.md +123 -0
  28. package/dist/data/skills/domain-access-management/patterns.md +58 -0
  29. package/dist/data/skills/domain-access-management/skill.json +36 -0
  30. package/dist/data/skills/domain-data-privacy/index.md +98 -0
  31. package/dist/data/skills/domain-data-privacy/patterns.md +48 -0
  32. package/dist/data/skills/domain-data-privacy/skill.json +36 -0
  33. package/dist/data/skills/domain-input-validation/index.md +210 -0
  34. package/dist/data/skills/domain-input-validation/patterns.md +158 -0
  35. package/dist/data/skills/domain-input-validation/skill.json +24 -0
  36. package/dist/data/skills/domain-platform-hardening/index.md +169 -0
  37. package/dist/data/skills/domain-platform-hardening/patterns.md +96 -0
  38. package/dist/data/skills/domain-platform-hardening/skill.json +27 -0
  39. package/dist/data/skills/ds-ml-security/patterns.md +137 -0
  40. package/dist/data/skills/fastapi-async/index.md +83 -0
  41. package/dist/data/skills/fastapi-async/patterns.md +329 -0
  42. package/dist/data/skills/fastapi-async/skill.json +32 -0
  43. package/dist/data/skills/frontend-react/index.md +26 -0
  44. package/dist/data/skills/frontend-react/patterns.md +226 -0
  45. package/dist/data/skills/frontend-react/skill.json +24 -0
  46. package/dist/data/skills/go-core/index.md +86 -0
  47. package/dist/data/skills/go-core/patterns.md +272 -0
  48. package/dist/data/skills/go-core/skill.json +22 -0
  49. package/dist/data/skills/hft-cpp-security/patterns.md +37 -0
  50. package/dist/data/skills/index.md +73 -0
  51. package/dist/data/skills/infra-k8s-helm/index.md +138 -0
  52. package/dist/data/skills/infra-k8s-helm/patterns.md +279 -0
  53. package/dist/data/skills/infra-k8s-helm/skill.json +41 -0
  54. package/dist/data/skills/integration-security/index.md +73 -0
  55. package/dist/data/skills/integration-security/patterns.md +132 -0
  56. package/dist/data/skills/integration-security/skill.json +30 -0
  57. package/dist/data/skills/java-enterprise/index.md +31 -0
  58. package/dist/data/skills/java-enterprise/patterns.md +816 -0
  59. package/dist/data/skills/java-enterprise/skill.json +26 -0
  60. package/dist/data/skills/java-spring/index.md +65 -0
  61. package/dist/data/skills/java-spring/patterns.md +22 -0
  62. package/dist/data/skills/java-spring/skill.json +23 -0
  63. package/dist/data/skills/license-compliance/index.md +58 -0
  64. package/dist/data/skills/license-compliance/patterns.md +12 -0
  65. package/dist/data/skills/license-compliance/skill.json +28 -0
  66. package/dist/data/skills/mobile-security/patterns.md +42 -0
  67. package/dist/data/skills/nodejs-nestjs/index.md +71 -0
  68. package/dist/data/skills/nodejs-nestjs/patterns.md +288 -0
  69. package/dist/data/skills/nodejs-nestjs/skill.json +24 -0
  70. package/dist/data/skills/observability/index.md +68 -0
  71. package/dist/data/skills/observability/patterns.md +22 -0
  72. package/dist/data/skills/observability/skill.json +26 -0
  73. package/dist/data/skills/php-security/patterns.md +202 -0
  74. package/dist/data/skills/ru-regulatory/index.md +72 -0
  75. package/dist/data/skills/ru-regulatory/patterns.md +28 -0
  76. package/dist/data/skills/ru-regulatory/skill.json +53 -0
  77. package/dist/data/skills/ruby-rails/index.md +65 -0
  78. package/dist/data/skills/ruby-rails/patterns.md +172 -0
  79. package/dist/data/skills/ruby-rails/skill.json +24 -0
  80. package/dist/data/skills/rust-security/patterns.md +152 -0
  81. package/dist/data/trufflehog-config.yaml +407 -0
  82. package/dist/index.js +3766 -372
  83. package/package.json +1 -1
package/dist/data/skills/csharp-dotnet/patterns.md ADDED
@@ -0,0 +1,270 @@
1
+ | ID | Название метрики | Anti-Pattern (Vulnerable Code/YAML) | Safe-Pattern (Remediation) | Stack | Источник fix_template | Exploit scenario |
2
+ |---|---|---|---|---|---|---|
3
+ | CSH-001 | C# Code Injection: `CSharpScript.EvaluateAsync` на пользовательском вводе | `var expr = request.Query["expr"];`<br>`...`<br>`var result = await CSharpScript.EvaluateAsync(expr);` | `var expr = request.Query["expr"];`<br>`if (!Regex.IsMatch(expr, "^[0-9+\\-*/(). ]{1,64}$")) throw new Exception("invalid");`<br>`...`<br>`var result = SafeMath.Eval(expr);` | .NET/C# | `CWE-94` | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-001 c injection csharpscript evaluateasync на пользовательском вводе var expr request query result await if regex ismatch 0 9 1 64 -->
4
+ | CSH-002 | Command Injection: `Process.Start` со строкой аргументов | `var host = request.Query["host"];`<br>`...`<br>`Process.Start("cmd.exe", "/c ping " + host);` | `var host = request.Query["host"];`<br>`if (!Regex.IsMatch(host, "^[a-zA-Z0-9.-]{1,255}$")) throw new Exception("invalid");`<br>`...`<br>`Process.Start(new ProcessStartInfo { FileName = "ping", ArgumentList = { host }, UseShellExecute = false });` | .NET/C# | `CWE-78` | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-002 command injection process start со строкой аргументов var host request query cmd exe c ping if regex ismatch a za -->
5
+ | CSH-003 | Shell Execute Injection: `UseShellExecute=true` с пользовательским вводом | `var cmd = request.Query["cmd"];`<br>`...`<br>`Process.Start(new ProcessStartInfo("bash", "-c " + cmd) { UseShellExecute = true });` | `var action = request.Query["action"];`<br>`var allowed = new Dictionary<string,string[]> { ["uptime"] = new[] { "uptime" } };`<br>`...`<br>`Process.Start(new ProcessStartInfo { FileName = allowed[action][0], UseShellExecute = false });` | .NET/C# | `CWE-77` | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-003 shell execute injection useshellexecute true с пользовательским вводом var cmd request query process start new processstartinfo bash c action allowed -->
6
+ | CSH-004 | Unsafe Reflection: `Type.GetType` из user input | `var typeName = request.Query["type"];`<br>`...`<br>`var t = Type.GetType(typeName);` | `var key = request.Query["handler"];`<br>`var allowed = new Dictionary<string, Type> { ["health"] = typeof(HealthHandler) };`<br>`...`<br>`var t = allowed[key];` | .NET/C# | `CWE-470` | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-004 unsafe reflection type gettype из user input var typename request query t key handler allowed new dictionary string health typeof -->
7
+ | CSH-005 | Dynamic Invoke Injection: `GetMethod(...).Invoke` без allowlist | `var method = request.Query["method"];`<br>`...`<br>`target.GetType().GetMethod(method).Invoke(target, null);` | `var method = request.Query["method"];`<br>`if (!new[] { "Health", "Status" }.Contains(method)) throw new Exception("blocked");`<br>`...`<br>`target.GetType().GetMethod(method).Invoke(target, null);` | .NET/C# | `CWE-74` | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-005 dynamic invoke injection getmethod без allowlist var method request query target gettype null if new health status contains throw exception -->
8
+ | CSH-006 | SQL Fragment Injection в `ORDER BY` | `var order = request.Query["order"];`<br>`...`<br>`var sql = $"SELECT * FROM users ORDER BY {order}";` | `var order = request.Query["order"];`<br>`if (!new[] { "name", "created_at" }.Contains(order)) order = "name";`<br>`...`<br>`var sql = $"SELECT * FROM users ORDER BY {order}";` | .NET/C# | `CWE-74` | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий контролирует ORDER BY через query string; подставляет выражение, ведущее к утечке данных или обходу логики (CWE-89). | <!-- semantic_anchor: csh-006 sql fragment injection в order by var request query select from users if new name created at contains -->
9
+ | CSH-007 | Roslyn Compilation of Untrusted Code | `var code = request.Form["code"];`<br>`...`<br>`CompileAndRun(code);` | `var code = request.Form["code"];`<br>`throw new SecurityException("runtime compilation disabled");` | .NET/C# | `CWE-94` | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-007 roslyn compilation of untrusted var request form compileandrun throw new securityexception runtime disabled -->
10
+ | CSH-008 | JavaScript Engine Injection (Jint/ClearScript) | `var js = request.Form["script"];`<br>`...`<br>`engine.Execute(js);` | `var cmd = request.Form["cmd"];`<br>`if (!new[] { "normalize" }.Contains(cmd)) throw new SecurityException();`<br>`...`<br>`engine.Invoke("normalize", value);` | .NET/C# | `CWE-95` | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-008 javascript engine injection jint clearscript var js request form script execute cmd if new normalize contains throw securityexception invoke value -->
11
+ | CSH-009 | Небезопасная десериализация | `...`<br>`var obj = formatter.Deserialize(stream);`<br>`...`<br>`JsonConvert.DeserializeObject(json, new JsonSerializerSettings { TypeNameHandling = TypeNameHandling.All })` | `...`<br>`JsonSerializer.Deserialize<T>(json);`<br>`...`<br>`new JsonSerializerSettings { TypeNameHandling = TypeNameHandling.None }` | .NET/C# | `CWE-502` | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-009 небезопасная десериализация var obj formatter deserialize stream jsonconvert deserializeobject json new jsonserializersettings typenamehandling all jsonserializer t none -->
12
+ | CSH-010 | XXE Injection | `var doc = new XmlDocument();`<br>`...`<br>`doc.XmlResolver = new XmlUrlResolver();`<br>`doc.Load(reader);` | `var settings = new XmlReaderSettings { DtdProcessing = DtdProcessing.Prohibited };`<br>`...`<br>`var reader = XmlReader.Create(stream, settings);` | .NET/C# | `CWE-611` | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий подсовывает XML с внешней сущностью/DTD; при включённом XmlResolver читает файлы или достаёт секреты (CWE-611 XXE). | <!-- semantic_anchor: csh-010 xxe injection var doc new xmldocument xmlresolver xmlurlresolver load reader settings xmlreadersettings dtdprocessing prohibited xmlreader create stream -->
13
+ | CSH-011 | Insecure Cookie Flags | `var opts = new CookieOptions { Path = "/" };`<br>`...`<br>`Response.Cookies.Append("session", token, opts);` | `var opts = new CookieOptions { HttpOnly = true, Secure = true, SameSite = SameSiteMode.Strict };`<br>`...`<br>`Response.Cookies.Append("session", token, opts);` | .NET/C# | `CWE-614` | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-011 insecure cookie flags var opts new cookieoptions path response cookies append session token httponly true secure samesite samesitemode strict -->
14
+ | CSH-012 | Hardcoded Secrets | `var defaultConnection = "Server=db;User=sa;Password=SuperSecret123";`<br>`...`<br>`var apiKey = "prod-api-key-12345";` | `var defaultConnection = builder.Configuration["ConnectionStrings:Default"] ?? throw new InvalidOperationException();`<br>`...`<br>`var apiKey = Environment.GetEnvironmentVariable("API_KEY") ?? throw new InvalidOperationException();` | .NET/C# | `CWE-798` | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-012 hardcoded secrets var defaultconnection server db user sa password supersecret123 apikey prod api key 12345 builder configuration connectionstrings default throw -->
15
+ | CSH-013 | Weak Crypto | `...`<br>`using (var md5 = MD5.Create())`<br>`...`<br>`using (var sha1 = SHA1.Create())` | `...`<br>`using (var sha512 = SHA512.Create())`<br>`...`<br>`Argon2id.HashPassword(password, salt)` | .NET/C# | `CWE-327` | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-013 weak crypto using var md5 create sha1 sha512 argon2id hashpassword password salt -->
16
+ | CSH-014 | Open Redirect | `var url = Request.Query["redirect"];`<br>`...`<br>`return Redirect(url);` | `var url = Request.Query["redirect"];`<br>`if (!Url.IsLocalUrl(url)) throw new Exception("blocked");`<br>`...`<br>`return LocalRedirect(url);` | .NET/C# | `CWE-601` | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-014 open redirect var url request query return if islocalurl throw new exception blocked localredirect -->
17
+ | CSH-015 | Certificate Validation Bypass | `var handler = new HttpClientHandler();`<br>`...`<br>`handler.ServerCertificateCustomValidationCallback = (sender, cert, chain, sslPolicyErrors) => true;` | `var handler = new HttpClientHandler();`<br>`...`<br>`handler.ServerCertificateCustomValidationCallback = ValidateServerCertificate;` | .NET/C# | `CWE-295` | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-015 certificate validation bypass var handler new httpclienthandler servercertificatecustomvalidationcallback sender cert chain sslpolicyerrors true validateservercertificate -->
18
+ | CSH-016 | Weak Password Hashing | `...`<br>`var bytes = Encoding.UTF8.GetBytes(password);`<br>`...`<br>`SHA256.Create().ComputeHash(bytes)` | `...`<br>`BCrypt.Net.BCrypt.HashPassword(password)`<br>`...`<br>`Rfc2898DeriveBytes.Pbkdf2(password, salt, iterations, HashAlgorithmName.SHA512, 32)` | .NET/C# | `CWE-916` | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-016 weak password hashing var bytes encoding utf8 getbytes sha256 create computehash bcrypt net hashpassword rfc2898derivebytes pbkdf2 salt iterations hashalgorithmname sha512 -->
19
+ | CSH-017 | Office HTML Injection в Outlook/Excel формулы | `mailItem.HTMLBody = userHtml;`<br>`worksheet.Cells[row, col].Formula = "=" + userInput;` | Санитизировать HTML и экранировать Excel formula input (префикс `'`), применять allowlist шаблонов контента. | .NET/C# | Office Add-in Security | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-017 office html injection outlook htmlbody excel formula -->
20
+ | CSH-018 | VSTO macro-equivalent command execution | `Globals.ThisAddIn.Application.Run(userMacro)` | Запретить запуск макросов/команд из пользовательского ввода, использовать allowlist команд и подписи. | .NET/C# | VSTO hardening | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-018 vsto application run user macro command -->
21
+ | CSH-019 | Banned BinaryFormatter Deserialize | `new BinaryFormatter().Deserialize(stream)` | Полностью исключить `BinaryFormatter`, использовать безопасные сериализаторы и типизированные DTO. | .NET/C# | .NET BinaryFormatter ban | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-019 binaryformatter deserialize banned rce -->
22
+ | CSH-020 | Insecure DataSet.ReadXml from untrusted input | `dataSet.ReadXml(userStream)` | Валидировать XML schema, отключить DTD/XXE и использовать безопасный parser pipeline. | .NET/C# | CWE-611 / XML hardening | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-020 dataset readxml untrusted xml -->
23
+ | CSH-021 | Unsafe P/Invoke marshaling | `[DllImport("user32.dll")] static extern int MessageBox(string text);` | Указывать `BestFitMapping=false`, `CharSet.Unicode`, проверять границы строковых параметров и pinvoke allowlist. | .NET/C# | Interop security | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-021 dllimport bestfitmapping false marshaling string -->
24
+ | CSH-022 | Insecure Assembly.Load from path/user input | `Assembly.LoadFrom(pathFromRequest)` | Загружать только подписанные/доверенные assembly из allowlist директорий с проверкой strong name. | .NET/C# | CWE-114 | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-022 assembly loadfrom user path signed assembly -->
25
+ | CSH-023 | ASP.NET Mass Assignment (Entity binding) | `public IActionResult Update(UserEntity entity)` | Принимать DTO/ViewModel, whitelist полей и map вручную в entity. | .NET/C# | OWASP Mass Assignment | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-023 aspnet mass assignment entity model binding -->
26
+ | CSH-024 | Unsafe AutoMapper profile exposing privileged fields | `CreateMap<UserDto, UserEntity>();` | Явно ignore privileged fields (`IsAdmin`, `Role`, `Balance`) и использовать explicit mapping policy. | .NET/C# | Object mapping security | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-024 automapper privileged fields ignore -->
27
+ | CSH-025 | JWT validation gaps in .NET auth | `ValidateIssuer = false; ValidateAudience = false;` | Включить `ValidateIssuer=true`, `ValidateAudience=true`, настроить valid issuers/audiences и lifetime checks. | .NET/C# | JWT BCP / ASP.NET Auth | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-025 jwt validateissuer validateaudience false dotnet -->
28
+ | CSH-026 | OAuth redirect URI not validated | `context.Response.Redirect(returnUrl)` | Использовать strict allowlist redirect URI и local-url checks. | .NET/C# | OAuth redirect security | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-026 oauth redirect uri validation dotnet -->
29
+ | CSH-027 | Insecure file upload without extension/content checks | `var path = Path.Combine(uploadDir, file.FileName);` | Проверять extension + MIME + magic bytes, сохранять вне webroot и randomize file name. | .NET/C# | OWASP File Upload | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-027 aspnet file upload extension mime magic bytes -->
30
+ | CSH-028 | Path traversal in static file/document download | `return PhysicalFile(basePath + name, ...)` | Нормализовать путь, проверять boundary и deny traversal sequences. | .NET/C# | CWE-22 | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-028 physicalfile path traversal -->
31
+ | CSH-029 | Missing anti-forgery on state-changing MVC actions | `[HttpPost]` | Включить `ValidateAntiForgeryToken` и CSRF middleware для cookie-auth flows. | .NET/C# | OWASP CSRF | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-029 antiforgery token missing mvc -->
32
+ | CSH-030 | Insecure session config in .NET 4.8 | `var opts = new CookieOptions { Secure = false, HttpOnly = false };`<br>`...`<br>`Response.Cookies.Append("session", token, opts);` | Включить secure/httpOnly/sameSite и idle timeout policy. | .NET/C# | Session management | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-030 dotnet48 session cookie secure httponly -->
33
+ | CSH-031 | Json.NET TypeNameHandling unsafe mode | `TypeNameHandling.Auto/All` | Использовать `TypeNameHandling.None`, custom binder allowlist и DTO-only deserialization. | .NET/C# | Json.NET hardening | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-031 json net typenamehandling all auto -->
34
+ | CSH-032 | ASP.NET request validation disabled | `validateRequest="false"` | Не отключать request validation; использовать safe HTML sanitizer pipeline. | .NET/C# | ASP.NET config security | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-032 validateRequest false web config -->
35
+ | CSH-033 | Weak TLS protocol negotiation | `SecurityProtocol = SecurityProtocolType.Ssl3 | Tls` | .NET/C# | TLS hardening | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-033 securityprotocol ssl3 tls weak -->
36
+ | CSH-034 | Insecure random via System.Random for secrets | `var token = new Random().Next();` | Использовать `RandomNumberGenerator.GetBytes` для security values. | .NET/C# | CWE-338 | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-034 system random token insecure -->
37
+ | CSH-035 | Sensitive data in logs/debug output | `logger.LogInformation("pwd={pwd}", pwd)` | Маскировать/редактировать чувствительные поля и запретить plaintext credentials в логах. | .NET/C# | OWASP Logging | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-035 sensitive log password token csharp -->
38
+ | CSH-036 | LDAP injection via unescaped filter | `"(uid=" + user + ")"` | Экранировать LDAP filter chars и использовать parameterized/escaped filter builders. | .NET/C# | CWE-90 | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-036 ldap injection filter escape -->
39
+ | CSH-037 | Regex DoS in server validation | `new Regex("(a+)+$")` | Ограничивать input length, timeout regex engine и избегать catastrophic patterns. | .NET/C# | ReDoS defense | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий подаёт вход, провоцирующий катастрофический backtracking regex; возможен ReDoS (обычно не прямой RCE). | <!-- semantic_anchor: csh-037 regex dos catastrophic timeout csharp -->
40
+ | CSH-038 | XML signature validation bypass | `signedXml.CheckSignature()` | Проверять подпись, certificate chain, reference URI и canonicalization constraints. | .NET/C# | XMLDSIG security | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-038 xml signature validation bypass -->
41
+ | CSH-039 | gRPC auth metadata not validated | `var role = context.RequestHeaders.GetValue("role");` | Проверять JWT/claims server-side и не доверять client-provided role headers. | .NET/C# | gRPC security | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-039 grpc metadata role trust -->
42
+ | CSH-040 | GraphQL over-posting of sensitive fields | `Field("ssn").Resolve(ctx => ctx.Source.InternalSsn)` | Ограничивать schema, field-level authz и query depth/complexity limits. | .NET/C# | GraphQL security | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-040 graphql field authz depth complexity -->
43
+ | CSH-041 | Entity Framework FromSqlRaw injection | `FromSqlRaw($"...{id}...")` | Использовать `FromSqlInterpolated`/parameters и запрет raw concat. | .NET/C# | EF Core SQLi | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-041 fromsqlraw interpolation injection -->
44
+ | CSH-042 | Open telemetry export without data scrubbing | `activity.SetTag("user.password", password);` | Включать scrubbing policy и denylist sensitive attributes before export. | .NET/C# | Observability security | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-042 telemetry pii secret scrubbing -->
45
+ | CSH-043 | WebClient legacy insecure usage | `new WebClient().DownloadString(url)` | Переходить на `HttpClient` с timeout/TLS validation/policies. | .NET/C# | .NET networking hardening | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-043 webclient insecure legacy -->
46
+ | CSH-044 | Hardcoded service account credentials | `var svcPass = "hardcoded-service-secret";` | Использовать managed identity/secret manager и ротацию учетных данных. | .NET/C# | CWE-798 | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-044 hardcoded service account credentials -->
47
+ | CSH-045 | Missing object-level authorization in API | `return await _repo.GetByIdAsync(id);` | Проверять владение/доступ per object before returning/modifying entity. | .NET/C# | OWASP API1 BOLA | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-045 object level authorization idor csharp -->
48
+ | CSH-046 | Unsafe cleanup deletion with user-supplied path | `File.Delete(userPath)` | Нормализовать path, проверять allowed directory и deny traversal before deletion. | .NET/C# | CWE-73 | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-046 file delete user path unsafe cleanup -->
49
+ | CSH-047 | VSTO/.NET 4.8 unsafe `BinaryFormatter.Deserialize` usage | `new BinaryFormatter().Deserialize(stream)` | Полностью исключить `BinaryFormatter`, заменить на безопасные сериализаторы (System.Text.Json/DataContract) и strict type allowlist. | .NET/C# VSTO | CWE Final Certification | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-047 vsto dotnet 4.8 binaryformatter deserialize unsafe -->
50
+ | CSH-048 | Dynamic assembly loading from network paths (UNC/URL) | `Assembly.LoadFrom(userPath)` | Запретить загрузку сборок из сетевых/пользовательских путей, использовать подписанные локальные сборки и verification policy перед загрузкой. | .NET/C# VSTO | CWE Final Certification | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-048 dynamic assembly load from network paths unc url -->
51
+ | CSH-049 | SSRF C#: `HttpClient` к AWS metadata IP (CWE-918) | `await _http.GetStringAsync("http://169.254.169.254/latest/meta-data/")` | Egress `DelegatingHandler` с denylist metadata CIDR до отправки. | .NET/C# | `CWE-918` | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-049 httpclient getstringasync 169 254 latest meta data guardian -->
52
+ | CSH-050 | SSRF C#: `WebRequest` к GCP metadata host (CWE-918) | `WebRequest.CreateHttp("http://metadata.google.internal/computeMetadata/v1/")` | Блокировать metadata hostnames; только allowlist URI. | .NET/C# | `CWE-918` | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-050 webrequest createhttp metadata google internal guardian -->
53
+ | CSH-051 | SSRF C#: `RestSharp` к link-local metadata (CWE-918) | `new RestClient("http://169.254.169.254").Execute(new RestRequest("/latest/meta-data/"))` | Pre-request guard на `BaseUrl` и resolved IP. | .NET/C# | `CWE-918` | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-051 restsharp restclient 169 254 latest meta data guardian -->
54
+ | CSH-052 | SSRF C#: `SocketsHttpHandler` без фильтра IMDS (CWE-918) | `await client.GetStringAsync("http://169.254.169.254/metadata/instance")` | Запретить IMDS из приложения; использовать Azure SDK с MSI. | .NET/C# | `CWE-918` | Use using/try-finally and safe .NET APIs; enforce strict allowlists for untrusted input. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-052 socketshttphandler getstringasync 169 254 metadata instance guardian -->
55
+ | CSH-053 | Paladin: non-constant-time compare for password/token hash (CWE-613) | `return storedHash == computedHash;` | `CryptographicOperations.FixedTimeEquals(storedHash, computedHash)` (или `Rfc2898DeriveBytes` verify с fixed-time сравнением байт). | .NET/C# | `CWE-613` | Replace `==` on secrets with `CryptographicOperations.FixedTimeEquals` or verified KDF APIs only. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-053 paladin constant time hash compare authrepository -->
56
+ | CSH-054 | Paladin: JWT `ValidateLifetime` disabled | `ValidateLifetime = false` | `ValidateLifetime = true` + `ClockSkew` policy согласована с IdP. | .NET/C# | `CWE-924` | Enable lifetime validation and align clock skew with token issuer SLA. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-054 paladin jwt validatelifetime false -->
57
+ | CSH-055 | Paladin: JWT `ClockSkew` zeroed (clock tolerance removed) | `ClockSkew = TimeSpan.Zero` | Задать ненулевой `ClockSkew` (например 1–5 мин) для устойчивости к дрейфу часов. | .NET/C# | `CWE-613` | Avoid `TimeSpan.Zero` unless IdP mandates; document skew rationale. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-055 paladin jwt clockskew zero -->
58
+ | CSH-056 | Paladin: `Path.GetTempFileName()` без явных ACL (CWE-377) | `var tmp = Path.GetTempFileName();` | `FileStream` с `FileSystemRights`/`FileSecurity` или temp под контролируемым каталогом приложения. | .NET/C# | `CWE-377` | Create temp files under app-controlled dir with explicit ACL, not default shared temp. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-056 paladin gettempfilename acl -->
59
+ | CSH-057 | Paladin: `Process.Start` путь с пробелами без кавычек (CWE-428) | `Process.Start("C:\\Program Files\\Vendor\\tool.exe");` | `ProcessStartInfo` с `FileName`/`WorkingDirectory`, `UseShellExecute=false`, аргументы через `ArgumentList`. | .NET/C# | `CWE-428` | Always quote/structure paths with spaces; avoid single-string overloads for untrusted paths. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-057 paladin process start spaces path -->
60
+ | CSH-058 | Paladin: `Registry` ImagePath без кавычек при пробелах (CWE-428) | `Registry.SetValue(key, "ImagePath", "C:\\Program Files\\App\\svc.exe");` | Заключать путь в кавычки при пробелах; валидировать путь до записи. | .NET/C# | `CWE-428` | Quote service binary paths in registry; validate against allowlist. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: csh-058 paladin registry imagepath unquoted -->
61
+ | DNX-101 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
62
+ | DNX-102 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
63
+ | DNX-103 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
64
+ | DNX-104 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
65
+ | DNX-105 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
66
+ | DNX-106 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
67
+ | DNX-107 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
68
+ | DNX-108 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
69
+ | DNX-109 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
70
+ | DNX-110 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
71
+ | DNX-111 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
72
+ | DNX-112 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
73
+ | DNX-113 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
74
+ | DNX-114 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
75
+ | DNX-115 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
76
+ | DNX-116 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
77
+ | DNX-117 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
78
+ | DNX-118 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
79
+ | DNX-119 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
80
+ | DNX-120 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
81
+ | DNX-121 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
82
+ | DNX-122 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
83
+ | DNX-123 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
84
+ | DNX-124 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
85
+ | DNX-125 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
86
+ | DNX-126 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
87
+ | DNX-127 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
88
+ | DNX-128 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
89
+ | DNX-129 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
90
+ | DNX-130 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
91
+ | DNX-131 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
92
+ | DNX-132 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
93
+ | DNX-133 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
94
+ | DNX-134 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
95
+ | DNX-135 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
96
+ | DNX-136 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
97
+ | DNX-137 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
98
+ | DNX-138 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
99
+ | DNX-139 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
100
+ | DNX-140 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
101
+ | DNX-141 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
102
+ | DNX-142 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
103
+ | DNX-143 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
104
+ | DNX-144 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
105
+ | DNX-145 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
106
+ | DNX-146 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
107
+ | DNX-147 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
108
+ | DNX-148 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
109
+ | DNX-149 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
110
+ | DNX-150 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
111
+ | DNX-151 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
112
+ | DNX-152 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
113
+ | DNX-153 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
114
+ | DNX-154 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
115
+ | DNX-155 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
116
+ | DNX-156 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
117
+ | DNX-157 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
118
+ | DNX-158 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
119
+ | DNX-159 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
120
+ | DNX-160 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
121
+ | DNX-161 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
122
+ | DNX-162 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
123
+ | DNX-163 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
124
+ | DNX-164 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
125
+ | DNX-165 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
126
+ | DNX-166 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
127
+ | DNX-167 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
128
+ | DNX-168 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
129
+ | DNX-169 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
130
+ | DNX-170 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
131
+ | DNX-171 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
132
+ | DNX-172 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
133
+ | DNX-173 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
134
+ | DNX-174 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
135
+ | DNX-175 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
136
+ | DNX-176 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
137
+ | DNX-177 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
138
+ | DNX-178 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
139
+ | DNX-179 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
140
+ | DNX-180 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
141
+ | DNX-181 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
142
+ | DNX-182 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
143
+ | DNX-183 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
144
+ | DNX-184 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
145
+ | DNX-185 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
146
+ | DNX-186 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
147
+ | DNX-187 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
148
+ | DNX-188 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
149
+ | DNX-189 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
150
+ | DNX-190 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
151
+ | DNX-191 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
152
+ | DNX-192 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
153
+ | DNX-193 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
154
+ | DNX-194 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
155
+ | DNX-195 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
156
+ | DNX-196 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
157
+ | DNX-197 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
158
+ | DNX-198 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
159
+ | DNX-199 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
160
+ | DNX-200 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
161
+ | DNX-201 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
162
+ | DNX-202 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
163
+ | DNX-203 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
164
+ | DNX-204 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
165
+ | DNX-205 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
166
+ | DNX-206 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
167
+ | DNX-207 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
168
+ | DNX-208 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
169
+ | DNX-209 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
170
+ | DNX-210 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
171
+ | DNX-211 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
172
+ | DNX-212 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
173
+ | DNX-213 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
174
+ | DNX-214 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
175
+ | DNX-215 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
176
+ | DNX-216 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
177
+ | DNX-217 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
178
+ | DNX-218 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
179
+ | DNX-219 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
180
+ | DNX-220 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
181
+ | DNX-221 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
182
+ | DNX-222 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
183
+ | DNX-223 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
184
+ | DNX-224 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
185
+ | DNX-225 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
186
+ | DNX-226 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
187
+ | DNX-227 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
188
+ | DNX-228 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
189
+ | DNX-229 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
190
+ | DNX-230 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
191
+ | DNX-231 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
192
+ | DNX-232 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
193
+ | DNX-233 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
194
+ | DNX-234 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
195
+ | DNX-235 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
196
+ | DNX-236 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
197
+ | DNX-237 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
198
+ | DNX-238 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
199
+ | DNX-239 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
200
+ | DNX-240 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
201
+ | DNX-241 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
202
+ | DNX-242 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
203
+ | DNX-243 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
204
+ | DNX-244 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
205
+ | DNX-245 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
206
+ | DNX-246 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
207
+ | DNX-247 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
208
+ | DNX-248 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
209
+ | DNX-249 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
210
+ | DNX-250 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
211
+ | DNX-251 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
212
+ | DNX-252 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
213
+ | DNX-253 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
214
+ | DNX-254 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
215
+ | DNX-255 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
216
+ | DNX-256 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
217
+ | DNX-257 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
218
+ | DNX-258 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
219
+ | DNX-259 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
220
+ | DNX-260 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
221
+ | DNX-261 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
222
+ | DNX-262 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
223
+ | DNX-263 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
224
+ | DNX-264 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
225
+ | DNX-265 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
226
+ | DNX-266 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
227
+ | DNX-267 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
228
+ | DNX-268 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
229
+ | DNX-269 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
230
+ | DNX-270 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
231
+ | DNX-271 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
232
+ | DNX-272 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
233
+ | DNX-273 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
234
+ | DNX-274 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
235
+ | DNX-275 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
236
+ | DNX-276 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
237
+ | DNX-277 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
238
+ | DNX-278 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
239
+ | DNX-279 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
240
+ | DNX-280 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
241
+ | DNX-281 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
242
+ | DNX-282 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
243
+ | DNX-283 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
244
+ | DNX-284 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
245
+ | DNX-285 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
246
+ | DNX-286 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
247
+ | DNX-287 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
248
+ | DNX-288 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
249
+ | DNX-289 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
250
+ | DNX-290 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
251
+ | DNX-291 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
252
+ | DNX-292 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
253
+ | DNX-293 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
254
+ | DNX-294 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
255
+ | DNX-295 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
256
+ | DNX-296 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
257
+ | DNX-297 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
258
+ | DNX-298 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
259
+ | DNX-299 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
260
+ | DNX-300 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
261
+ | DNX-301 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
262
+ | DNX-302 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
263
+ | DNX-303 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
264
+ | DNX-304 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
265
+ | DNX-305 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
266
+ | DNX-306 | ASP.NET Core BOLA on resource id route (Logic: strong) | `return _db.Orders.First(o => o.Id == id);` | `return _db.Orders.First(o => o.Id == id && o.OwnerId == userId);` | .NET/C# | CWE-639 | Autofix: enforce owner-scoped query predicates for object retrieval. | Object IDs are enumerable and expose cross-tenant records. |
267
+ | DNX-307 | Entity Framework SQL injection in raw query | `_db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Name = {name}")` | `_db.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Name = {name}")` | .NET/C# | CWE-89 | Autofix: replace raw concatenation with interpolated parameterized APIs. | Raw SQL construction enables arbitrary SQL fragments. |
268
+ | DNX-308 | BinaryFormatter deserialization of untrusted stream | `var obj = new BinaryFormatter().Deserialize(stream);` | `var dto = JsonSerializer.Deserialize<SafeDto>(json);` | .NET/C# | CWE-502 | Autofix: remove BinaryFormatter and migrate to typed safe serializer. | Deserialization gadgets can trigger remote code execution. |
269
+ | DNX-309 | ASP.NET Core mass assignment with broad model binding | `public IActionResult Patch(UserEntity entity) => Ok(_svc.Save(entity));` | `public IActionResult Patch(UserPatchDto dto) => Ok(_svc.Save(MapAllowed(dto)));` | .NET/C# | CWE-915 | Autofix: replace entity binding with DTO allowlist mapping. | Model binder can set protected privilege and billing fields. |
270
+ | DNX-310 | Missing lock around shared cache mutation (CWE-662) | `_cache[key] = value;` | `lock(_cacheLock){ _cache[key] = value; }` | .NET/C# | CWE-662 | Autofix: guard shared mutable cache writes with synchronization lock. | Concurrent mutation causes state races and authorization bypass windows. |
package/dist/data/skills/csharp-dotnet/skill.json ADDED
@@ -0,0 +1,27 @@
1
+ {
2
+ "skill_id": "csharp-dotnet",
3
+ "name": "C# / .NET Security",
4
+ "activation_triggers": [
5
+ "csh-aspnet-cookie",
6
+ "csh-dotnet-config",
7
+ "csh-binaryformatter",
8
+ "csh-xxe-xmldocument",
9
+ "csh-process-start",
10
+ "csh-vsto-security",
11
+ "csh-binaryformatter-rce",
12
+ "csh-mass-assignment"
13
+ ],
14
+ "relevant_extensions": [
15
+ ".cs",
16
+ ".csproj",
17
+ ".config"
18
+ ],
19
+ "tools": [
20
+ "semgrep",
21
+ "syft",
22
+ "trufflehog"
23
+ ],
24
+ "rules_path": "core/skills/csharp-dotnet/patterns.md",
25
+ "few_shot_examples": "core/gold-standard-testbed/multi_lang_vulnerable/csharp_vulnerable.cs",
26
+ "security_priority": 5
27
+ }