hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

C# CSRF query: add support for ASP.NET Core

Browse Source
This commit is contained in:
Chris Smowton
2025-12-08 11:51:01 +00:00
parent cd6429a39e
commit 5bb31afc83
5 changed files with 58 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
csharp/ql/test/query-tests/Security Features/CWE-352/missing-aspnetcore/MissingAntiForgeryTokenValidation.cs Normal file
View File

@@ -0,0 +1,31 @@
using Microsoft.AspNetCore.Mvc;
public class HomeController : Controller
{
// BAD: Anti forgery token has been forgotten
[HttpPost]
public ActionResult Login()
{
return View();
}
// GOOD: Anti forgery token is validated
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult UpdateDetails()
{
return View();
}
// No validation required, as this is a GET method.
public ActionResult ShowHelp()
{
return View();
}
// Should be ignored, because it is not an action method
[NonAction]
public void UtilityMethod()
{
}
}

1
csharp/ql/test/query-tests/Security Features/CWE-352/missing-aspnetcore/MissingAntiForgeryTokenValidation.expected Normal file
View File

@@ -0,0 +1 @@
| MissingAntiForgeryTokenValidation.cs:7:25:7:29 | Login | Method 'Login' handles a POST request without performing CSRF token validation. |

1
csharp/ql/test/query-tests/Security Features/CWE-352/missing-aspnetcore/MissingAntiForgeryTokenValidation.qlref Normal file
View File

@@ -0,0 +1 @@
query: Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql

2
csharp/ql/test/query-tests/Security Features/CWE-352/missing-aspnetcore/options Normal file
View File

@@ -0,0 +1,2 @@
semmle-extractor-options: /nostdlib /noconfig
semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj