not neccessary anti forgery by api controller (!103) · Merge requests · GitLab.org / security-products / sast-rules

Tomo Masakura requested to merge masakura/sast-rules:csharp-api-not-neccessary-anti-forgery into main Nov 17, 2022

The API Controller in ASP.NET Core does not require the ValidateAntiForgeryToken attribute. In general, APIs do not need to use anti forgery tokens for CSRF protection.

However, the current rules also identify the API Controller as vulnerable.

In the following API Controller

[ApiController]
class ApiCsrf
{
    [HttpPost]
    public string ControllerMethod1(string input)
    {
        return null;
    }

    [HttpDelete]
    public string ControllerMethod2(string input)
    {
        return null;
    }

    [HttpPatch]
    public string ControllerMethod3(string input)
    {
        return null;
    }

    [HttpPut]
    public string ControllerMethod4(string input)
    {
        return null;
    }
}

CSRF vulnerability is detected.

$ semgrep --config ./rule-Csrf.yml ApiCsrf.cs

...

          7┆ [HttpPost]
          8┆ public string ControllerMethod1(string input)
          9┆ {
         10┆     return null;
         11┆ }

not neccessary anti forgery by api controller

Merge request reports