New Rule: Use [AllowAnonymous] or [Authorize] not both

Rules and Languages New rules / language support
1

Unauthorized access is security hot spot. Within .NET both Minimal API and (API) controllers allow an option that grands anonymous access. As this precedes authorize instructions the latter will not be taken into account, what most likely is a (security) bug. Hence the rule proposal.

Non-compliant

class Controller : ControllerBase
{
    [AllowAnonymous]
    [Authorize("math-wizard")] // Noncompliant {{Either chose AllowAnonymous or Authorize, but not both }}
    public int TheAnswer() => 42;
}

void Main()
{
    app.MapGet("/answer", () => 42)
        .AllowAnonymous()
        .RequireAuthorization(); // Noncompliant {{Either chose AllowAnonymous() or RequireAuthorization() but not both}} 
}

Compliant

class Controller : ControllerBase
{
    [AllowAnonymous]
    public int TheAnswer() => 42;
}

void Main()
{
    app.MapGet("/answer", () => 42)
        .AllowAnonymous();
}

or

class Controller : ControllerBase
{
    [Authorize("math-wizard")]
    public int TheAnswer() => 42;
}


void Main()
{
    app.MapGet("/answer", () => 42)
        .RequireAuthorization();
}
8

Hi @Corniel, that’s a really cool idea ! We’ve been putting BOLA (broken object level authZ) issues for quite some time and this could be a nice one! I am adding this to our backlog!

Loris