-
Notifications
You must be signed in to change notification settings - Fork 1.7k
/
Copy pathMissingAntiForgeryTokenValidation.ql
65 lines (59 loc) · 2.52 KB
/
MissingAntiForgeryTokenValidation.ql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
/**
* @name Missing cross-site request forgery token validation
* @description Handling a POST request without verifying that the request came from the user
* allows a malicious attacker to submit a request on behalf of the user.
* @kind problem
* @problem.severity error
* @security-severity 8.8
* @precision high
* @id cs/web/missing-token-validation
* @tags security
* external/cwe/cwe-352
*/
import csharp
import semmle.code.csharp.frameworks.system.Web
import semmle.code.csharp.frameworks.system.web.Helpers
import semmle.code.csharp.frameworks.system.web.Mvc
private Method getAValidatingMethod() {
result = any(AntiForgeryClass a).getValidateMethod()
or
result.calls(getAValidatingMethod())
}
/** An `AuthorizationFilter` that calls the `AntiForgery.Validate` method. */
class AntiForgeryAuthorizationFilter extends AuthorizationFilter {
AntiForgeryAuthorizationFilter() { this.getOnAuthorizationMethod() = getAValidatingMethod() }
}
private Method getAStartedMethod() {
result = any(WebApplication wa).getApplication_StartMethod()
or
getAStartedMethod().calls(result)
}
/**
* Holds if the project has a global anti forgery filter.
*/
predicate hasGlobalAntiForgeryFilter() {
// A global filter added
exists(MethodCall addGlobalFilter |
// addGlobalFilter adds a filter to the global filter collection
addGlobalFilter.getTarget() = any(GlobalFilterCollection gfc).getAddMethod() and
// The filter is an antiforgery filter
addGlobalFilter.getArgumentForName("filter").getType() instanceof AntiForgeryAuthorizationFilter and
// The filter is added by the Application_Start() method
getAStartedMethod() = addGlobalFilter.getEnclosingCallable()
)
}
from Controller c, Method postMethod
where
postMethod = c.getAPostActionMethod() and
// The method is not protected by a validate anti forgery token attribute
not postMethod.getAnAttribute() instanceof ValidateAntiForgeryTokenAttribute and
not c.getAnAttribute() instanceof ValidateAntiForgeryTokenAttribute and
// Verify that validate anti forgery token attributes are used somewhere within this project, to
// avoid reporting false positives on projects that use an alternative approach to mitigate CSRF
// issues.
exists(ValidateAntiForgeryTokenAttribute a, Element e | e = a.getTarget()) and
// Also ignore cases where a global anti forgery filter is in use.
not hasGlobalAntiForgeryFilter()
select postMethod,
"Method '" + postMethod.getName() +
"' handles a POST request without performing CSRF token validation."