Security |
Checks if solutions pose security issues.
Index
| Rule | Description | Type | Severity |
|---|---|---|---|
| SPC020201: Do not update list of blocked extensions | The assembly should not access property Microsoft.SharePoint.Administration.SPWebApplication.BlockedFileExtensions and also update the web application. The rule assumes that the list of blocked file extensions has been changed by the code. | Assembly | CriticalWarning |
| SPC020202: Avoid setting 'AllowUnsafeUpdates' on SPWeb | The assembly should not call Microsoft.SharePoint.SPWeb.AllowUnsafeUpdates to run make changes to SPWeb with a lower security context. Setting this property to true opens security risks, potentially introducing cross-site scripting vulnerabilities. | Assembly | CriticalWarning |
| SPC020203: Avoid setting 'AllowUnsafeUpdates' on SPSite | The assembly should not call Microsoft.SharePoint.SPSite.AllowUnsafeUpdates to run make changes to SPSite with a lower security context. Setting this property to true opens security risks, potentially introducing cross-site scripting vulnerabilities. | Assembly | CriticalWarning |
| SPC020204: Do not call 'WindowsIdentity.Impersonate' | The assembly should not call WindowsIdentity.Impersonate() to run code with higher permissions. | Assembly | CriticalWarning |
| SPC020205: Do not set 'AllowEveryoneViewItems' for SPList to TRUE | The property ListAllowEveryoneViewItems of the SPList object should not be set to true, as it allows every authenticated user of the web application to access the list items when the URL is known. | Assembly | CriticalWarning |
| SPC020206: Avoid usage of 'RunWithElevatedPrivileges' | The assembly should not call Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges to run code with higher permissions. | Assembly | CriticalWarning |
| SPC020210: Do not add PageParserPaths to web.config | PageParserPaths can be used to enable inline code in ASPX pages which is not allowed. | Assembly | CriticalWarning |
| SPC020220: Do not call 'HttpUtility.HtmlEncode'. | The assembly should not call HttpUtility.HtmlEncode(string) to encode strings. Use 'SPHttpUtility.HtmlEncode' instead. | Assembly | CriticalWarning |
| SPC020221: Do not nest calls to RunWithElevatedPrivileges | Do not call RunWithElevatedPrivileges inside a existing RunWithElevatedPrivileges. | Assembly | CriticalWarning |
| SPC020602: CAS Policy 'Maschine' with access='Administer' is not allowed | The CAS Policy 'Maschine' with access='Administer' is not allowed. | PolicyItem | CriticalWarning |
| SPC020603: Policy Permission Impersonate not allowed | The CAS Policy for Microsoft.SharePoint.Security.SharePointPermission with settings Impersonate=true is not allowed. | PolicyItem | CriticalWarning |
| SPC020611: Do not define 'FileIOPermission' with 'Unrestricted=true' | The CAS Policy for System.Security.Permissions.FileIOPermission with setting 'Unrestricted=true' is not allowed. This means read and write permission to all locations on the SharePoint system. Limit the permission to certain folders, e.g. TEMP. | PermissionSet | Error |
| SPC020612: Do not define 'RegistryPermission' with 'Unrestricted=true' | The CAS Policy for System.Security.Permissions.RegistryPermission with setting 'Unrestricted=true' is not allowed. | PermissionSet | Error |
| SPC020613: Do not define 'SecurityPermission' with 'Unrestricted=true' | The CAS Policy for System.Security.Permissions.SecurityPermission with setting 'Unrestricted=true' is not allowed. | PermissionSet | Error |
| SPC020614: Do not define 'EnvironmentPermission' with 'Unrestricted=true' | The CAS Policy for System.Security.Permissions.EnvironmentPermission with setting 'Unrestricted=true' is not allowed. | PermissionSet | Error |
| SPC020615: Do not define 'SmtpPermission' with 'Unrestricted=true' | The CAS Policy for System.Net.Mail.SmtpPermission with setting 'Unrestricted=true' is not allowed. | PermissionSet | CriticalWarning |
| SPC025501: Do not set 'AllowEveryoneViewItems' to TRUE in ListDefinition | The attribute ListAllowEveryoneViewItems of a ListDefinition should not be set to true, as it allows every authenticated user of the web application to access the list items when the URL is known. | ListTemplate | CriticalWarning |
| SPC026901: Do not use inline code in ASPX pages | ASPX pages should not contain inline code. Use code behind instead. | ASPXFile | CriticalWarning |
| SPC026902: Add 'SharePoint:FormDigest' to ASPX page | ASPX pages should contain 'SharePoint:FormDigest' to ensure security validation of requests, | ASPXFile | CriticalWarning |
Disclaimer: The views and opinions expressed in this documentation and in SPCAF do not necessarily reflect the opinions and recommendations of Microsoft or any member of Microsoft. SPCAF and RENCORE are registered trademarks of Rencore. All other trademarks, service marks, collective marks, copyrights, registered names, and marks used or cited by this documentation are the property of their respective owners.