Povratne informacije Uredi

CA5395: Miss HttpVerb attribute for action methods

  • Članak
  • 2 min. za čitanje
Value
Rule ID CA5395
Category Security
Fix is breaking or non-breaking Non-breaking

Cause

Not specifying the kind of HTTP request explicitly for action methods.

Rule description

All the action methods that create, edit, delete, or otherwise modify data needs to be protected with the antiforgery attribute from cross-site request forgery attacks. Performing a GET operation should be a safe operation that has no side effects and doesn't modify your persisted data.

How to fix violations

Mark the action methods with HttpVerb attribute.

When to suppress warnings

It's safe to suppress warnings from this rule if:

Suppress a warning

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

#pragma warning disable CA5395
// The code that's violating the rule is on this line.
#pragma warning restore CA5395

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

[*.{cs,vb}]
dotnet_diagnostic.CA5395.severity = none

To disable this entire category of rules, set the severity for the category to none in the configuration file.

[*.{cs,vb}]
dotnet_analyzer_diagnostic.category-Security.severity = none

For more information, see How to suppress code analysis warnings.

Pseudo-code examples

Violation

using Microsoft.AspNetCore.Mvc;

[ValidateAntiForgeryToken]
class BlahController : Controller
{
}

class ExampleController : Controller
{
    public IActionResult ExampleAction()
    {
        return null;
    }
}

Solution

using Microsoft.AspNetCore.Mvc;

[ValidateAntiForgeryToken]
class BlahController : Controller
{
}

class ExampleController : Controller
{
    [HttpGet]
    public IActionResult ExampleAction()
    {
        return null;
    }
}