rspec/rules/S4502/csharp/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

[source,csharp]
----
public void ConfigureServices(IServiceCollection services)
{
    // ...
    services.AddControllersWithViews(options => options.Filters.Add(new IgnoreAntiforgeryTokenAttribute())); // Sensitive
    // ...
}
----

[source,csharp]
----
[HttpPost, IgnoreAntiforgeryToken] // Sensitive
public IActionResult ChangeEmail(ChangeEmailModel model) => View("~/Views/...");
----

== Compliant Solution

[source,csharp]
----
public void ConfigureServices(IServiceCollection services)
{
    // ...
    services.AddControllersWithViews(options => options.Filters.Add(new AutoValidateAntiforgeryTokenAttribute()));
    // or 
    services.AddControllersWithViews(options => options.Filters.Add(new ValidateAntiForgeryTokenAttribute()));
    // ...
}
----

[source,csharp]
----
[HttpPost]
[AutoValidateAntiforgeryToken]
public IActionResult ChangeEmail(ChangeEmailModel model) => View("~/Views/...");
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

=== on 29 Jan 2021, 11:07:02 Costin Zaharia wrote:
https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-5.0[Configuring Cross-site request forgery protection in ASP.NET Code MVC]

=== on 12 Apr 2021, 13:13:42 Costin Zaharia wrote:
Nice catch! Searching for *asp-antiforgery* inside *.cshtml file would be great.

=== on 12 Apr 2021, 13:31:00 Andrei Epure wrote:
And also :

* opted-out of Tag Helpers
* removing the ``++FormTagHelper++`` from the view

 https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-5.0[Configuring Cross-site request forgery protection in ASP.NET Code MVC]

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]
-												Add coveredLanguages field

											
										
										
											2021-01-29 15:53:23 +01:00
+								include::../description.adoc[]
 								include::../ask-yourself.adoc[]
 								include::../recommended.adoc[]
-												migrate rule descriptions to new education format

											
										
										
											2023-05-03 11:06:20 +02:00
+								== Sensitive Code Example
-												Add coveredLanguages field

											
										
										
											2021-01-29 15:53:23 +01:00
-												RULEAPI-661: Add syntax coloring


											
										
										
											2022-02-04 17:28:24 +01:00
+								[source,csharp]
-												Add coveredLanguages field

											
										
										
											2021-01-29 15:53:23 +01:00
+								----
 								public void ConfigureServices(IServiceCollection services)
 								{
 								    // ...
 								    services.AddControllersWithViews(options => options.Filters.Add(new IgnoreAntiforgeryTokenAttribute())); // Sensitive
 								    // ...
 								}
 								----
-												RULEAPI-661: Add syntax coloring


											
										
										
											2022-02-04 17:28:24 +01:00
+								[source,csharp]
-												Add coveredLanguages field

											
										
										
											2021-01-29 15:53:23 +01:00
+								----
 								[HttpPost, IgnoreAntiforgeryToken] // Sensitive
 								public IActionResult ChangeEmail(ChangeEmailModel model) => View("~/Views/...");
 								----
 								== Compliant Solution
-												RULEAPI-661: Add syntax coloring


											
										
										
											2022-02-04 17:28:24 +01:00
+								[source,csharp]
-												Add coveredLanguages field

											
										
										
											2021-01-29 15:53:23 +01:00
+								----
 								public void ConfigureServices(IServiceCollection services)
 								{
 								    // ...
 								    services.AddControllersWithViews(options => options.Filters.Add(new AutoValidateAntiforgeryTokenAttribute()));
 								    // or
 								    services.AddControllersWithViews(options => options.Filters.Add(new ValidateAntiForgeryTokenAttribute()));
 								    // ...
 								}
 								----
-												RULEAPI-661: Add syntax coloring


											
										
										
											2022-02-04 17:28:24 +01:00
+								[source,csharp]
-												Add coveredLanguages field

											
										
										
											2021-01-29 15:53:23 +01:00
+								----
 								[HttpPost]
 								[AutoValidateAntiforgeryToken]
 								public IActionResult ChangeEmail(ChangeEmailModel model) => View("~/Views/...");
 								----
 								include::../see.adoc[]
-												Export comments and rspec-to-rspec links from jira

											
										
										
											2021-06-02 20:44:38 +02:00
-												Fix the comment display: rule-id, timestamp, GH visibility, link direction

											
										
										
											2021-06-03 09:05:38 +02:00
+								ifdef::env-github,rspecator-view[]
-												RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346)


											
										
										
											2021-09-20 15:38:42 +02:00
 								'''
 								== Implementation Specification
 								(visible only on this page)
 								include::../message.adoc[]
-												RULEAPI-576: add a horizontal rule between rule description and comments


											
										
										
											2021-06-08 15:52:13 +02:00
+								'''
-												Export comments and rspec-to-rspec links from jira

											
										
										
											2021-06-02 20:44:38 +02:00
+								== Comments And Links
 								(visible only on this page)
-												Inline adoc when include has no additional value (#1940)

Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
											
										
										
											2023-05-25 14:18:12 +02:00
+								=== on 29 Jan 2021, 11:07:02 Costin Zaharia wrote:
 								https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-5.0[Configuring Cross-site request forgery protection in ASP.NET Code MVC]
 								=== on 12 Apr 2021, 13:13:42 Costin Zaharia wrote:
 								Nice catch! Searching for *asp-antiforgery* inside *.cshtml file would be great.
 								=== on 12 Apr 2021, 13:31:00 Andrei Epure wrote:
 								And also :
 								* opted-out of Tag Helpers
 								* removing the ``++FormTagHelper++`` from the view
 								 https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-5.0[Configuring Cross-site request forgery protection in ASP.NET Code MVC]
 								include::../comments-and-links.adoc[]
-												Fix the comment display: rule-id, timestamp, GH visibility, link direction

											
										
										
											2021-06-03 09:05:38 +02:00
+								endif::env-github,rspecator-view[]