Please follow this template to help us specify this new rule:
-
description of the Rule. By default, the Model-View-Controller (MVC) framework treats all public methods of a controller class as action methods. If your controller class contains a public method and you do not want it to be an action method, you must mark that method with the NonActionAttribute. If you fail to do so, the method will be exposed for direct access. (Security Hotspots)
-
snippet of Noncompliant Code
private void DoSomething()
{
// Method logic.
}
- snippet of Compilant Code (fixing the above noncompliant code)
< [NonAction]
private void DoSomething()
{
// Method logic.
}/>
-
external references and/or language specifications - Controllers and Action Methods in ASP.NET MVC Applications | Microsoft Learn
-
type : Security Hotspot
-
Tags
-
If the rule is a Security Hotspot, it should ask the developer to review a security sensitive piece of code. It should raise a reasonable number of issues so that developers don’t feel overwhelmed. The goal in this case is to guide code reviews.