Access Control: Database Fortify Scan RRS feed

  • Question

  • User689330941 posted

    Hi All, 

    Did the Fortify Scan and got the Access Control Category for the below source . The bold statement was flagged out.  May I know how do I rectify this ? 

    public Repository(MemberPointsEntities entities)
    this.entities = entities;
    this.databaseSet = entities.Set<T>();

    Thank you.

    Tuesday, August 20, 2019 6:41 AM

All replies

  • User-821857111 posted

    The bold statement was flagged out.
    What does that mean? Do you get some kind of warning? Error? If so, what is it?

    Tuesday, August 20, 2019 6:51 AM
  • User689330941 posted

    Meaning that this "this.databaseSet = entities.Set<T>();" from my program is being flagged out for this Fortify Category : Access Control: Database which the recommendation was to:

    Rather than relying on the presentation layer to restrict values submitted by the user, access control should
    be handled by the application and database layers. Under no circumstances should a user be allowed to
    retrieve or modify a row in the database without the appropriate permissions. Every query that accesses
    the database should enforce this policy, which can often be accomplished by simply including the current
    authenticated username as part of the query.

    I am not sure how to change so that it won't be flagged out in the next scan. 

    Tuesday, August 20, 2019 7:10 AM
  • User-821857111 posted

    You'll be better off posting your question to a Fortify forum. The issue has nothing to do with ASP.NET.

    Tuesday, August 20, 2019 7:34 AM