Environment:
- Version: 5.6.7
- Branch:
- Installation/Running method:
- Operating System:
Describe the bug
False positive for SCS0016: Controller method is potentially vulnerable to Cross Site Request Forgery (CSRF)
The older [ValidateAntiforgeryToken] and [AutoValidateAntiforgeryToken] attributes are only valid on MVC controllers (controllers with views, Razor forms, etc.). The only technology available to validate antiforgery on API controllers is a new, undocumented attribute (as of .NET 8.0): [RequireAntiforgeryValidation].
Repro
[ApiController]
public class ExampleController : ControllerBase
{
[HttpPost][RequireAntiforgeryToken] public void Post([FromForm] IFormFile file) { } // SCS0016
[HttpPost][RequireAntiforgeryToken] public void Post([FromForm] string data) { } // SCS0016
}
Environment:
Describe the bug
False positive for SCS0016: Controller method is potentially vulnerable to Cross Site Request Forgery (CSRF)
The older
[ValidateAntiforgeryToken]and[AutoValidateAntiforgeryToken]attributes are only valid on MVC controllers (controllers with views, Razor forms, etc.). The only technology available to validate antiforgery on API controllers is a new, undocumented attribute (as of .NET 8.0):[RequireAntiforgeryValidation].Repro