gitlab.security_code_scan.SCS0017-1

unknown
Download Count*
License

By using the [ValidateInput(false)] attribute in a controller class, the application will disable request validation for that method. This disables ASP.NET from examining requests for injection attacks such as Cross-Site-Scripting (XSS).

If possible, re-enable validation by using ValidateInput(true). In some cases this may not be possible, in which case ensure how the request data used is validated and this method does not output user input directly into the view.

For more information on protecting ASP.NET Core applications from XSS see: https://learn.microsoft.com/en-us/aspnet/core/security/cross-site-scripting

Example of enabling ValidateInput attribute:

class ControllerClass
{
    [ValidateInput(true)]
    public void SomeActionMethod()
    {
    }
}

For more information on ASP.NET request validation see OWASP: https://owasp.org/www-community/ASP-NET_Request_Validation

Run Locally

Run in CI

Defintion

rules:
  - id: security_code_scan.SCS0017-1
    languages:
      - csharp
    patterns:
      - pattern: |
          [ValidateInput(false)]
          public $RET $FOO(...)
          {
            ...
          }
    message: >
      By using the `[ValidateInput(false)]` attribute in a controller

      class, the application will disable request validation for that

      method. This disables ASP.NET from examining requests for injection

      attacks such as Cross-Site-Scripting (XSS).


      If possible, re-enable validation by using `ValidateInput(true)`.

      In some cases this may not be possible, in which case ensure how the

      request data used is validated and this method does not

      output user input directly into the view.


      For more information on protecting ASP.NET Core applications from XSS see:

      https://learn.microsoft.com/en-us/aspnet/core/security/cross-site-scripting


      Example of enabling `ValidateInput` attribute:

      ```

      class ControllerClass

      {
          [ValidateInput(true)]
          public void SomeActionMethod()
          {
          }
      }

      ```


      For more information on ASP.NET request validation see OWASP:

      https://owasp.org/www-community/ASP-NET_Request_Validation
    severity: WARNING
    metadata:
      shortDescription: ASP.NET input validation disabled
      category: security
      cwe: CWE-554
      primary_identifier: security_code_scan.SCS0017-1
      secondary_identifiers:
        - name: SCS0017
          type: security_code_scan_rule_id
          value: SCS0017
      license: MIT
      vulnerability_class:
        - Other