Comments (5)
@JarLob thanks for the well explained response. I didn't know about the Error List ... indicating it was still analyzing, so that will be helpful going forward.
I'm personnally trying to research the most pragmatic way to add CSRF to this Angular 1.x app. They chose to use the apiController, not so outside sources could call the api, but solely for GET and POST operation from this single page app done in TypeScript. I'm going to experiment and try adding an HttpFilterCollection
( https://stackoverflow.com/questions/32460196/angularjs-web-api-antiforgerytoken-csrf )and see how that does or doesn't work. You can mark this as closed, and I'll report back, just to spread the knowledge. 🏫 😃
from security-code-scan.
Okay, so as I was trying this up, I just went back in and now I have stuff. Not sure if rebuild took a while, as I wasn't watching, or Roslyn was slow, but after about 2 minutes from build, now I'm seeing stuff
from security-code-scan.
Few Questions:
- Is this lag normal?
- Do you know if a VS2017 reboot is needed after setting [x] “Enable full solution analysis” ?
- Does this tool not work on System.Web.Http.ApiController ?
This thing seems really cool. I'm grateful for the work you've put in on it! I'm just trying to make it clear for others who install it how to a) get it functional b) what limitations it has for scanning certain controller types.
from security-code-scan.
-
The lag depends on the size of solution. I wouldn't say it's normal. On my computer it is usually much faster. But sometimes projects in solution tree take long time to load. There is an indicator for that...
Analyzers also have non intuitive progress indicator:
If there are three dots next to Error List it means some analyzer is still working. Keep in mind, that different analyzer extensions run one by one and some other extension may slowdown overall progress... -
My experiments show, that it is not needed.
-
CSRF analyzer doesn't check for
System.Web.Http.ApiController
because it looks forSystem.Web.Mvc.HttpPostAttribute
orMicrosoft.AspNetCore.Mvc.HttpPostAttribute
. Correct me if I'm wrong, but MVC ValidateAntiForgeryTokenAttribute is supposed to be used with MVC. While it is possible to use the attribute in WebApi methods it breaks the usage of the WebApi from non MVC pages. As far I understand common practice is to require an auth token to be passed in a custom header to WebApi method. It is not added automatically differently from cookie, thus making such API immune to CSRF.
from security-code-scan.
I ended up combining https://stackoverflow.com/questions/32460196/angularjs-web-api-antiforgerytoken-csrf/32460197#32460197 and https://stackoverflow.com/questions/11725988/problems-implementing-validatingantiforgerytoken-attribute-for-web-api-with-mvc/16092115#16092115 to build a custom ActionFilterAttribute
for ApiController
s for anyone who stumbles upon this later.
from security-code-scan.
Related Issues (20)
- Standalone can not understand shproj. HOT 2
- Is this project maintained HOT 6
- Solution Items
- Standalone scanner throws exception: 'ProjectName' is already part of the workspace HOT 4
- Security Code Scan Standalone Tool throws Method not found: Microsoft.IO.Path.GetFileName(System.ReadOnlySpan`1)' with VS2022 17.3 MSBuild HOT 4
- Standalone tool with `.sln` don't start scanning
- SCS0016 False positive for ODataController
- Scanning an intentionally vulnerable .NET 6 project with the stand-alone runner does not yield any detection results HOT 11
- The analyzer fails to detect a vulnerability when an interface is used as declaring type
- CLI tool prefixes findings with "Found:" which is not consistent with MSBuild output format HOT 2
- security-scan /your/solution.sln throws up error. HOT 5
- SCS0012 after upgrading from net6.0 to net7.0 HOT 1
- security-scan' is not recognized as an internal or external command HOT 1
- Analyzer 'SecurityCodeScan.Analyzers.XxeDiagnosticAnalyzerCSharp' threw an exception
- Upload Visual Studio Code extension to Open VSX HOT 1
- VS 17.6.2 many errors started to appear for Security Code Scan 5.6.7 HOT 3
- New exceptions thrown for SCS extension after upgrading VS HOT 2
- Security-scan4x.zip build fails due to Method not found: 'System.ReadOnlySpan`1<Char> Microsoft.IO.Path.GetFileName(System.ReadOnlySpan`1<Char>) HOT 1
- Standalone runner not working in .NET 7 on Bitbucket pipelines
- Msbuild failed when processing the file --csproj file path -- with message: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.WinFx.targets: (268, 9): Unknown build error, 'Object reference not set to an instance of an object.'
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-code-scan.