SCS0016: False positive on ApiController / ControllerBase #298
Description
Environment:
- Version: 5.6.7
- Branch:
- vs2019
- vs2017
- vs2015
- Installation/Running method:
- Visual Studio Extension
- NuGet package
- Standalone tool
- DotNet Core Tool from NuGet
- security-scan4x.zip from GitHub Release section
- Operating System:
- Windows
- Linux
- Mac
Describe the bug
False positive for SCS0016: Controller method is potentially vulnerable to Cross Site Request Forgery (CSRF)
The older [ValidateAntiforgeryToken] and [AutoValidateAntiforgeryToken] attributes are only valid on MVC controllers (controllers with views, Razor forms, etc.). The only technology available to validate antiforgery on API controllers is a new, undocumented attribute (as of .NET 8.0): [RequireAntiforgeryValidation].
Repro
[ApiController]
public class ExampleController : ControllerBase
{
[HttpPost][RequireAntiforgeryToken] public void Post([FromForm] IFormFile file) { } // SCS0016
[HttpPost][RequireAntiforgeryToken] public void Post([FromForm] string data) { } // SCS0016
}