Join GitHub today
More configurable CSRF diagnostic proposal #127
Draft PR, as this is proposing configuration changes and I'm sure there's gonna be some tweaks requested.
There are also some TODOs left, that I won't address until the general direction of this change is agreed upon.
The Stack Overflow code base uses Attribute Based Routing, and has deviated considerably from the ASP.NET MVC defaults. Some of this is for good reason, and some of it is because our code dates back to the beta release of MVC 1, and we just made different choices than Microsoft over the years.
Some of our deviations are:
This proposal seeks to add the flexibility we need, while keeping the out-of-the-box behavior of Security Code Scan unchanged.
Each attribute collection is made up of:
Conditions are similar to Conditions on Behaviors, except they apply only to attribute constructors and named arguments (which are actually property setters) and the "then" branch is implicitly "consider this attribute" and thus not specified.
As a consequence of moving hardcoded values into
A test has been added that demonstrates the Stack Overflow-style of routing, which illustrates the use of conditions.
All tests are passing locally.
…ble, combine Core and Mvc diagnostics using new flexibility, add conditional support, and add a test that demonstrates how to use new flexibility to check an attribute based routing style based on the Stack Overflow codebase.
Hey, I didn't review it yet. But in general:
Regarding the format, if I understand correctly you need two same
How about introducing an optional
* Change configuration of csrf protection to be considerably more flexible, combine Core and Mvc diagnostics using new flexibility, add conditional support, and add a test that demonstrates how to use new flexibility to check an attribute based routing style based on the Stack Overflow codebase. * Support XSRF configurations that use an attribute to annotate actions, rather than (or in addition to) a base class. * Cover the case when first class member is not a method. * CSRF FromForm test added. * CSRF test for Audit when ApiController is applied on the class. * Few more CSRF tests to cover the cases when `return` was done erroneously instead of `continue` when iterating through methods. * Refactor CSRF rules format