What am I supposed to see if the install worked in VS2017

[ericop]

I downloaded and install your extension from https://marketplace.visualstudio.com/items?itemName=JaroslavLobacevski.SecurityCodeScan after hearing about it on https://marketplace.visualstudio.com/items?itemName=PhilippeArteau.RoslynSecurityGuard
What I've done so far:

• I reopened VS2017 and my my solution in
• I blindly added AdditionalFileItemNames>$(AdditionalFileItemNames);Content</AdditionalFileItemNames> to my .csproj
• I checked [x] Editor > C# (or Basic) > Advanced > “Enable full solution analysis”
• I did a rebuild (noticed nothing, I I know my app has XSS and CSRF issues since I've only partially covered my public class ServicesController : ApiController [HttpPost]s with [AntiForgeryToken]
• I rebooted VS2017 and did another build, still nothing in Error List.

Did I miss something?

[ericop]

Okay, so as I was trying this up, I just went back in and now I have stuff. Not sure if rebuild took a while, as I wasn't watching, or Roslyn was slow, but after about 2 minutes from build, now I'm seeing stuff

[ericop]

Few Questions:

1. Is this lag normal?
2. Do you know if a VS2017 reboot is needed after setting [x] “Enable full solution analysis” ?
3. Does this tool not work on System.Web.Http.ApiController ?

This thing seems really cool. I'm grateful for the work you've put in on it! I'm just trying to make it clear for others who install it how to a) get it functional b) what limitations it has for scanning certain controller types.

[JarLob]

1. The lag depends on the size of solution. I wouldn't say it's normal. On my computer it is usually much faster. But sometimes projects in solution tree take long time to load. There is an indicator for that...
   
   Analyzers also have non intuitive progress indicator:
   
   If there are three dots next to Error List it means some analyzer is still working. Keep in mind, that different analyzer extensions run one by one and some other extension may slowdown overall progress...

2. My experiments show, that it is not needed.

3. CSRF analyzer doesn't check for System.Web.Http.ApiController because it looks for System.Web.Mvc.HttpPostAttribute or Microsoft.AspNetCore.Mvc.HttpPostAttribute. Correct me if I'm wrong, but MVC ValidateAntiForgeryTokenAttribute is supposed to be used with MVC. While it is possible to use the attribute in WebApi methods it breaks the usage of the WebApi from non MVC pages. As far I understand common practice is to require an auth token to be passed in a custom header to WebApi method. It is not added automatically differently from cookie, thus making such API immune to CSRF.

[ericop]

@JarLob thanks for the well explained response. I didn't know about the Error List ... indicating it was still analyzing, so that will be helpful going forward.

I'm personnally trying to research the most pragmatic way to add CSRF to this Angular 1.x app. They chose to use the apiController, not so outside sources could call the api, but solely for GET and POST operation from this single page app done in TypeScript. I'm going to experiment and try adding an HttpFilterCollection ( https://stackoverflow.com/questions/32460196/angularjs-web-api-antiforgerytoken-csrf )and see how that does or doesn't work. You can mark this as closed, and I'll report back, just to spread the knowledge. 🏫 😃

[ericop]

I ended up combining https://stackoverflow.com/questions/32460196/angularjs-web-api-antiforgerytoken-csrf/32460197#32460197 and https://stackoverflow.com/questions/11725988/problems-implementing-validatingantiforgerytoken-attribute-for-web-api-with-mvc/16092115#16092115 to build a custom ActionFilterAttribute for ApiControllers for anyone who stumbles upon this later.