Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca3147 below:

CA3147: Mark verb handlers with ValidateAntiForgeryToken (code analysis) - .NET

An ASP.NET MVC controller action method isn't marked with ValidateAntiForgeryTokenAttribute, or an attribute specifying the HTTP verb, such as HttpGetAttribute or AcceptVerbsAttribute.

When designing an ASP.NET MVC controller, be mindful of cross-site request forgery attacks. A cross-site request forgery attack can send malicious requests from an authenticated user to your ASP.NET MVC controller. For more information, see XSRF/CSRF prevention in ASP.NET MVC and web pages.

This rule checks that ASP.NET MVC controller action methods either:

• Have the ValidateAntiforgeryTokenAttribute and specify allowed HTTP verbs, not including HTTP GET.

• Specify HTTP GET as an allowed verb.

• For ASP.NET MVC controller actions that handle HTTP GET requests and don't have potentially harmful side effects, add an HttpGetAttribute to the method.

  If you have an ASP.NET MVC controller action that handles HTTP GET requests and has potentially harmful side effects such as modifying sensitive data, then your application is vulnerable to cross-site request forgery attacks. You'll need to redesign your application so that only HTTP POST, PUT, or DELETE requests perform sensitive operations.

• For ASP.NET MVC controller actions that handle HTTP POST, PUT, or DELETE requests, add ValidateAntiForgeryTokenAttribute and attributes specifying the allowed HTTP verbs (AcceptVerbsAttribute, HttpPostAttribute, HttpPutAttribute, or HttpDeleteAttribute). Additionally, you need to call the HtmlHelper.AntiForgeryToken() method from your MVC view or Razor web page. For an example, see Examining the edit methods and edit view.

It's safe to suppress a warning from this rule if:

• The ASP.NET MVC controller action has no harmful side effects.
• The application validates the antiforgery token in a different way.

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

#pragma warning disable CA3147
// The code that's violating the rule is on this line.
#pragma warning restore CA3147

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

[*.{cs,vb}]
dotnet_diagnostic.CA3147.severity = none

For more information, see How to suppress code analysis warnings.

Violation:

namespace TestNamespace
{
    using System.Web.Mvc;

    public class TestController : Controller
    {
        public ActionResult TransferMoney(string toAccount, string amount)
        {
            // You don't want an attacker to specify to who and how much money to transfer.

            return null;
        }
    }
}

Solution:

using System;
using System.Xml;

namespace TestNamespace
{
    using System.Web.Mvc;

    public class TestController : Controller
    {
        [HttpPost]
        [ValidateAntiForgeryToken]
        public ActionResult TransferMoney(string toAccount, string amount)
        {
            return null;
        }
    }
}

Violation:

namespace TestNamespace
{
    using System.Web.Mvc;

    public class TestController : Controller
    {
        public ActionResult Help(int topicId)
        {
            // This Help method is an example of a read-only operation with no harmful side effects.
            return null;
        }
    }
}

Solution:

namespace TestNamespace
{
    using System.Web.Mvc;

    public class TestController : Controller
    {
        [HttpGet]
        public ActionResult Help(int topicId)
        {
            return null;
        }
    }
}

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4