16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
87 lines
2.4 KiB
Plaintext
87 lines
2.4 KiB
Plaintext
== Why is this an issue?
|
|
|
|
ASP.Net has a feature to validate HTTP requests to prevent potentially dangerous content to perform a cross-site scripting (XSS) attack. There is no reason to disable this mechanism even if other checks to prevent XXS attacks are in place.
|
|
|
|
|
|
This rule raises an issue if a method with parameters is marked with ``++System.Web.Mvc.HttpPostAttribute++`` and not ``++System.Web.Mvc.ValidateInputAttribute(true)++``.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,csharp]
|
|
----
|
|
public class FooBarController : Controller
|
|
{
|
|
[HttpPost] // Noncompliant
|
|
[ValidateInput(false)]
|
|
public ActionResult Purchase(string input)
|
|
{
|
|
return Foo(input);
|
|
}
|
|
|
|
[HttpPost] // Noncompliant
|
|
public ActionResult PurchaseSomethingElse(string input)
|
|
{
|
|
return Foo(input);
|
|
}
|
|
}
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
[source,csharp]
|
|
----
|
|
public class FooBarController : Controller
|
|
{
|
|
[HttpPost]
|
|
[ValidateInput(true)] // Compliant
|
|
public ActionResult Purchase(string input)
|
|
{
|
|
return Foo(input);
|
|
}
|
|
}
|
|
----
|
|
|
|
|
|
=== Exceptions
|
|
|
|
Parameterless methods marked with ``++System.Web.Mvc.HttpPostAttribute++`` will not trigger this issue.
|
|
|
|
|
|
== Resources
|
|
|
|
* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS)
|
|
* https://cwe.mitre.org/data/definitions/79[MITRE, CWE-79] - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
|
|
* https://www.sans.org/top25-software-errors/#cat1[SANS Top 25] - Insecure Interaction Between Components
|
|
* https://www.owasp.org/index.php/ASP.NET_Request_Validation[OWASP ASP.NET Request Validation]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Enable input validation for this HttpPost method
|
|
|
|
|
|
=== Highlighting
|
|
|
|
The ``++HttpPostAttribute++``
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 6 Apr 2018, 17:40:31 Alexandre Gigleux wrote:
|
|
This rule should raise an issue if both [HttpPost] and [System.Web.Mvc.ValidateInputAttribute(false)] are set on a method of a class inheriting from System.Web.Mvc.ControllerBase
|
|
|
|
=== on 11 Apr 2018, 18:00:11 Amaury Levé wrote:
|
|
\[~alexandre.gigleux] I think that your comment should actually be part of the rule description because this is not clear when reading whether only ``++[System.Web.Mvc.ValidateInputAttribute(false)]++`` can cause issue.
|
|
|
|
endif::env-github,rspecator-view[]
|