More configurable CSRF diagnostic proposal #127
Conversation
…ble, combine Core and Mvc diagnostics using new flexibility, add conditional support, and add a test that demonstrates how to use new flexibility to check an attribute based routing style based on the Stack Overflow codebase.
…, rather than (or in additon to) a base class.
|
I held off on consolidating condition parsing (and bringing boolean conditions to Behaviors) as part of this, since it's already a big-ish proposal. It's kind of an obvious next step though. |
|
Hey, I didn't review it yet. But in general:
Regarding the format, if I understand correctly you need two same How about introducing an optional |
|
|
SecurityCodeScan/Analyzers/Taint/CodeEvaluation/CSharpCodeEvaluation.cs
Outdated
Show resolved
Hide resolved
SecurityCodeScan/Analyzers/Taint/CodeEvaluation/CSharpCodeEvaluation.cs
Outdated
Show resolved
Hide resolved
|
I'll try to add more tests to improve existing analyzer coverage. |
…usly instead of `continue` when iterating through methods.
…attribute is proportional to the number of conditions attached to it
…so it's easier to fix some regressions
|
Ok, I've got all tests passing. I reworked the logic in |
JarLob
left a comment
JarLob
left a comment
There was a problem hiding this comment.
Good work! Just some renaming is needed I think.
SecurityCodeScan/Config/Main.yml
Outdated
| IgnoreAttributes: | ||
| - AttributeName: Microsoft.AspNetCore.Mvc.IgnoreAntiforgeryTokenAttribute | ||
| - AttributeName: Microsoft.AspNetCore.Mvc.FromBodyAttribute | ||
| AllowAnonymousAttributes: |
There was a problem hiding this comment.
It works, but the name of the section AllowAnonymousAttributes looks confusing with a ApiController name under it. Not sure how to name it. AllowAnonymousAttribute hints that vulnerabilities in the controller/action doesn't matter because user identity is not used, while ApiControllerAttribute just makes actions hardly vulnerable by default. However there is IgnoreAttributes section already.
There was a problem hiding this comment.
Maybe changing both VulnerableAttributes and AllowAnonymousAttributes would be clearer?
Perhaps VulnerableAttributes -> IdentityDependent and AllowAnonymousAttributes -> IdentityAgnostic?
I played around with combining Ignore and AllowAnonymous too, but they do have slightly different semantics.
|
I tried to simplify the format and implementation even further, moved auditing rules into configuration itself. Please see if it fits your needs. |
|
Since all the tests pass I assume it fits your needs. Sorry that it took so many commits, but in the end I believe we have much flexible, clear and easier to maintain analyzer. Also a bug was fixed on the way :) I'm going to merge it tomorrow. |
|
I just got back from a short vacation, sorry for delay in responding. If the test pass, it'll probably work for us. I'll spend some time today verifying. I think the new format looks much nicer than what I had. |
|
Confirming, this works for the actual Stack Overflow projects. |
* Change configuration of csrf protection to be considerably more flexible, combine Core and Mvc diagnostics using new flexibility, add conditional support, and add a test that demonstrates how to use new flexibility to check an attribute based routing style based on the Stack Overflow codebase. * Support XSRF configurations that use an attribute to annotate actions, rather than (or in addition to) a base class. * Cover the case when first class member is not a method. * CSRF FromForm test added. * CSRF test for Audit when ApiController is applied on the class. * Few more CSRF tests to cover the cases when `return` was done erroneously instead of `continue` when iterating through methods. * Refactor CSRF rules format
2 participants
Draft PR, as this is proposing configuration changes and I'm sure there's gonna be some tweaks requested.
There are also some TODOs left, that I won't address until the general direction of this change is agreed upon.
Background
The Stack Overflow code base uses Attribute Based Routing, and has deviated considerably from the ASP.NET MVC defaults. Some of this is for good reason, and some of it is because our code dates back to the beta release of MVC 1, and we just made different choices than Microsoft over the years.
Some of our deviations are:
An example:
This proposal seeks to add the flexibility we need, while keeping the out-of-the-box behavior of Security Code Scan unchanged.
Change
This replaces
CsrfProtectionAttributeswithCsrfProtection, which exposes many new options that replace the hardcoded type names in the current analyzers.Namely,
CsrfProtectionexposes:Each attribute collection is made up of:
Conditions are similar to Conditions on Behaviors, except they apply only to attribute constructors and named arguments (which are actually property setters) and the "then" branch is implicitly "consider this attribute" and thus not specified.
In
Main.ymlthe declarations for ASP.NET MVC and ASP.NET Core MVC have been converted to this new format, and the format has been documented.As a consequence of moving hardcoded values into
Main.yml, this change also merged the two different analyzers into a singleCsrfTokenDiagnosticAnalyzer.A test has been added that demonstrates the Stack Overflow-style of routing, which illustrates the use of conditions.
All tests are passing locally.
Questions
Is a proposal in this vein acceptable?
How should the configuration section be structured? I don't love what's in this proposal, it's just adequate for my purposes.
What names should be used for configuration? I just kind of made them up as I went along, or based them on the hardcoded variable names in the existing analyzers.
How should removing/replacing the existing configs be done? It's easy enough to port them, but having two ways to configure CSRF protection may not be desirable.
Is there any additional flexibility that should be included as part of this change?