Skip to content

Do not detect HttpDelete or HttpPut

Tomo Masakura requested to merge masakura/sast-rules:csharp-csrf-http-methods into main

gitlab-org/security-products/analyzers/semgrep!150 (closed)

HttpPost" is not the only ASP.NET application that requires CSRF protection. It seems that the countermeasure is missing.

This code is detected as vulnerable by Semgrep C# analyzer.

[HttpPost]
public void Post() {}

However, this code is not detected.

[HttpDelete]
public void Delete() {}

A list of HTTP methods to be detected.

  • HttpPost - OK
  • HttpDelete - NG
  • HttpPatch - NG
  • HttpPut - NG
Edited by Tomo Masakura

Merge request reports