search

pumasecurity / puma-scan

Puma Scan is a software security Visual Studio extension that provides real time, continuous source code analysis as development teams write code. Vulnerabilities are immediately displayed in the development environment as spell check and compiler warnings, preventing security bugs from entering your applications.
https://www.pumascan.com
Mozilla Public License 2.0
446 stars 80 forks source link

SEC0019 with global AutoValidateAntiforgeryTokenAttribute #37

Open felickz opened 6 years ago

felickz commented 6 years ago

A newer pattern exists for auto validating CSRF tokens in .NET Core to protect all endpoints through global filter configuration. Is there any pattern for detecting this attribute is globally applied and disable SEC0019? Potentially here SEC0019 could apply to the use of the ignore attribute.

Filters.Add(new AutoValidateAntiforgeryTokenAttribute());

AutoValidateAntiforgeryTokenAttribute can be applied as a global filter to trigger validation of antiforgery tokens by default for an application.

Also, we should call out the usage of IgnoreAntiforgeryTokenAttribute here.

Blog explaining the topic: https://andrewlock.net/automatically-validating-anti-forgery-tokens-in-asp-net-core-with-the-autovalidateantiforgerytokenattribute/

This would be dependent on .NET Core support #36

ejohn20 commented 6 years ago

Agreed, this will need to be part of the .NET Core rule package.