Move shared content to separate files

rules/S6680/common/fix/limits.adoc

@@ -0,0 +1,9 @@
+==== Set limits
+
+Validate loop variable values to ensure they fall within the expected bounds.
+If a value falls outside of these bounds, reject it as invalid or adjust it to
+bring it within bounds. This guarantees that the loop will only iterate over
+the expected number of elements or perform the expected number of iterations.
+
+Do not assume that users will provide sensible values. Attackers intentionally
+choose unusual values to cause the system to misbehave.

rules/S6680/common/resources/standards.adoc

@@ -0,0 +1,5 @@
+=== Standards
+
+* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection
+* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection
+* https://cwe.mitre.org/data/definitions/606[MITRE, CWE-606] - Unchecked Input for Loop Condition

rules/S6680/csharp/rule.adoc

@@ -1,60 +1,10 @@
-This vulnerability exposes the system to various operational overloads that can
-lead to either a technical denial of service and/or business disruptions.
+include::../summary.adoc[]
 
 == Why is this an issue?
 
-Loop boundary injections occur in an application when the application retrieves
-data from a user or a third-party service and inserts it into a loop or a
-function acting as a loop, without sanitizing it first.
+include::../rationale.adoc[]
 
-If an application contains a loop that is vulnerable to injections, 
-it is exposed to attacks that target its availability where that loop is used.
-
-A user with malicious intent carefully performs actions whose goal is to cause
-the loop to run for more iterations than the developer intended, resulting in
-unexpected behavior or even a crash of the program.
-
-After creating the malicious request, the attacker can attack the servers
-affected by this vulnerability without relying on any prerequisites.
-
-=== What is the potential impact?
-After discovering the injection point, attackers insert data into the
-vulnerable field to either make the affected component inaccessible, attempt a
-malfunction, or read from an artifact that exceeds the developer's intended
-boundaries.
-
-In languages that don't enforce memory access checks, this can also lead to a
-buffer overflow or underflow which may result in sensitive information
-disclosure or remote code execution.
-
-Below are some real-world scenarios that illustrate some impacts of an attacker
-exploiting the vulnerability.
-
-==== Self Denial of service
-
-If the component affected by this vulnerability is not a bottleneck that
-acts as a single point of failure (SPOF) within the application, the denial of
-service might only affect the attacker who initiated it.
-
-Even if the denial of service has little direct impact, it can cause secondary
-effects in architectures that use containers and container orchestrators. It
-could cause unexpected container failures or resource overconsumption,
-for example.
-
-==== Infrastructure SPOFs
-
-A denial of service attack can be critical to the enterprise if it
-targets a SPOF component. Sometimes the SPOF is a software architecture
-vulnerability (such as a single component on which multiple critical components
-depend) or an operational vulnerability (for example, insufficient container
-creation capabilities or failures from containers to terminate).
-
-In either case, attackers aim to exploit the infrastructure weakness by sending
-as many malicious payloads as possible, using potentially huge offensive
-infrastructures.
-
-These threats are particularly insidious if the attacked organization does not
-maintain a disaster recovery plan (DRP).
+include::../impact.adoc[]
 
 == How to fix it
 
@@ -121,41 +71,21 @@ public class ExampleController : Controller
 
 === How does this work?
 
-==== Set limits
-
-Validate loop variable values to ensure they fall within the expected bounds.
-If a value falls outside of these bounds, reject it as invalid or adjust it to
-bring it within bounds. This guarantees that the loop will only iterate over
-the expected number of elements or perform the expected number of iterations.
-
-Do not assume that users will provide sensible values. Attackers intentionally
-choose unusual values to cause the system to misbehave.
+include::../../common/fix/limits.adoc[]
 
 == Resources
 
-=== Standards
-
-* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection
-* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection
-* https://cwe.mitre.org/data/definitions/606[MITRE, CWE-606] - Unchecked Input for Loop Condition
+include::../common/resources/standards.adoc[]
 
 ifdef::env-github,rspecator-view[]
 
 '''
 == Implementation Specification
 (visible only on this page)
 
-=== Message
-
-Change this code to set loop bounds directly from user-controlled data.
-
-=== Highlighting
-
-"[varname]" is tainted (assignments and parameters)
-
-this argument is tainted (method invocations)
+include::../message.adoc[]
 
-the returned value is tainted (returns & method invocations results)
+include::../highlighting.adoc[]
 
 '''
 endif::env-github,rspecator-view[]

rules/S6680/highlighting.adoc

@@ -0,0 +1,7 @@
+=== Highlighting
+
+"[varname]" is tainted (assignments and parameters)
+
+this argument is tainted (method invocations)
+
+the returned value is tainted (returns & method invocations results)

rules/S6680/impact.adoc

@@ -0,0 +1,38 @@
+=== What is the potential impact?
+After discovering the injection point, attackers insert data into the
+vulnerable field to either make the affected component inaccessible, attempt a
+malfunction, or read from an artifact that exceeds the developer's intended
+boundaries.
+
+In languages that don't enforce memory access checks, this can also lead to a
+buffer overflow or underflow which may result in sensitive information
+disclosure or remote code execution.
+
+Below are some real-world scenarios that illustrate some impacts of an attacker
+exploiting the vulnerability.
+
+==== Self Denial of service
+
+If the component affected by this vulnerability is not a bottleneck that
+acts as a single point of failure (SPOF) within the application, the denial of
+service might only affect the attacker who initiated it.
+
+Even if the denial of service has little direct impact, it can cause secondary
+effects in architectures that use containers and container orchestrators. It
+could cause unexpected container failures or resource overconsumption,
+for example.
+
+==== Infrastructure SPOFs
+
+A denial of service attack can be critical to the enterprise if it
+targets a SPOF component. Sometimes the SPOF is a software architecture
+vulnerability (such as a single component on which multiple critical components
+depend) or an operational vulnerability (for example, insufficient container
+creation capabilities or failures from containers to terminate).
+
+In either case, attackers aim to exploit the infrastructure weakness by sending
+as many malicious payloads as possible, using potentially huge offensive
+infrastructures.
+
+These threats are particularly insidious if the attacked organization does not
+maintain a disaster recovery plan (DRP).

rules/S6680/message.adoc

@@ -0,0 +1,3 @@
+=== Message
+
+Change this code to set loop bounds directly from user-controlled data.

rules/S6680/rationale.adoc

@@ -0,0 +1,13 @@
+Loop boundary injections occur in an application when the application retrieves
+data from a user or a third-party service and inserts it into a loop or a
+function acting as a loop, without sanitizing it first.
+
+If an application contains a loop that is vulnerable to injections, 
+it is exposed to attacks that target its availability where that loop is used.
+
+A user with malicious intent carefully performs actions whose goal is to cause
+the loop to run for more iterations than the developer intended, resulting in
+unexpected behavior or even a crash of the program.
+
+After creating the malicious request, the attacker can attack the servers
+affected by this vulnerability without relying on any prerequisites.

rules/S6680/summary.adoc

@@ -0,0 +1,2 @@
+This vulnerability exposes the system to various operational overloads that can
+lead to either a technical denial of service and/or business disruptions.