C# CSRF query: add support for ASP.NET Core#20983
Conversation
There was a problem hiding this comment.
Pull request overview
This PR extends the C# CSRF security query to detect missing anti-forgery token validation in ASP.NET Core applications, in addition to the existing ASP.NET MVC support.
Key changes:
- Added ASP.NET Core framework support to the CSRF detection query
- Refactored validation logic to handle both ASP.NET MVC and ASP.NET Core patterns
- Added comprehensive test cases for ASP.NET Core scenarios
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| MissingAntiForgeryTokenValidation.ql | Extended query logic to detect CSRF vulnerabilities in both ASP.NET MVC and ASP.NET Core controllers |
| MissingAntiForgeryTokenValidation.cs | Added test cases demonstrating vulnerable and safe ASP.NET Core controller patterns |
| MissingAntiForgeryTokenValidation.expected | Expected query results for the new ASP.NET Core test cases |
| MissingAntiForgeryTokenValidation.qlref | Query reference file for test execution |
| options | Extractor configuration for ASP.NET Core test compilation |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -0,0 +1 @@ | |||
| query: Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql | |||
Check warning
Code scanning / CodeQL
Query test without inline test expectations Warning test
|
False positives are generated by this query when the validation attribute is not on the action but instead applied globally via https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.mvc.autovalidateantiforgerytokenattribute?view=aspnetcore-10.0 |
No description provided.