gitlab.security_code_scan.SCS0017-1
By using the [ValidateInput(false)]
attribute in a controller
class, the application will disable request validation for that
method. This disables ASP.NET from examining requests for injection
attacks such as Cross-Site-Scripting (XSS).
If possible, re-enable validation by using ValidateInput(true)
.
In some cases this may not be possible, in which case ensure how the
request data used is validated and this method does not
output user input directly into the view.
For more information on protecting ASP.NET Core applications from XSS see: https://learn.microsoft.com/en-us/aspnet/core/security/cross-site-scripting
Example of enabling ValidateInput
attribute:
class ControllerClass
{
[ValidateInput(true)]
public void SomeActionMethod()
{
}
}
For more information on ASP.NET request validation see OWASP: https://owasp.org/www-community/ASP-NET_Request_Validation
Run Locally
Run in CI
Defintion
rules:
- id: security_code_scan.SCS0017-1
languages:
- csharp
patterns:
- pattern: |
[ValidateInput(false)]
public $RET $FOO(...)
{
...
}
message: >
By using the `[ValidateInput(false)]` attribute in a controller
class, the application will disable request validation for that
method. This disables ASP.NET from examining requests for injection
attacks such as Cross-Site-Scripting (XSS).
If possible, re-enable validation by using `ValidateInput(true)`.
In some cases this may not be possible, in which case ensure how the
request data used is validated and this method does not
output user input directly into the view.
For more information on protecting ASP.NET Core applications from XSS see:
https://learn.microsoft.com/en-us/aspnet/core/security/cross-site-scripting
Example of enabling `ValidateInput` attribute:
```
class ControllerClass
{
[ValidateInput(true)]
public void SomeActionMethod()
{
}
}
```
For more information on ASP.NET request validation see OWASP:
https://owasp.org/www-community/ASP-NET_Request_Validation
severity: WARNING
metadata:
shortDescription: ASP.NET input validation disabled
category: security
cwe: CWE-554
primary_identifier: security_code_scan.SCS0017-1
secondary_identifiers:
- name: SCS0017
type: security_code_scan_rule_id
value: SCS0017
license: MIT
vulnerability_class:
- Other