Rule 'Disabling CSRF protections is security-sensitive' does not seem to be working

  • ALM used: Azure DevOps - Git
  • Languages of the repository: C# .Net MVC 4.8.1

This rule does not seem to be picking up issues: C# static code analysis

We have an example of a .Net framework MVC project (4.8.1) with unsafe http POST actions on the controller and no ValidateAntiforgeryToken attributes defined on the action, or globally (there is no global.cs) and neither on the cshtml view, yet when SonarCloud performs the scan no ‘Security Hotspots’ are flagged.

We have found this by running an alternative SAST tool (CAST) which identifies this issue correctly.

Is this because in SonarCloud the rule only applies to .Net Core MVC projects rather than .Net Framework MVC?
If not, can you suggest a way I can investigate why this is happening and how I can ensure this potential vulnerability can be detected?

Hey there.

We would ask that you provide code that reproduces the (lack of) issue where you would expect an issue to be raised (whether it is the original code or not). I’ve moved your post to the section on reporting false-negatives.

Hi @Colin , I have attached a sample app that demonstrates the issue. (4.1 MB)


Thank you for providing an example of code.

This rule detects when the anti-CSRF protection is actively disabled and thus, in the case of an .NET Framework application, it does not detect that by default it is unsafe.

OK, thanks @sebastien.andrivet. I assume therefore that Sonar does not have any other rules to detect this if it is unsafe by default.

We do not have such a rule for .NET Framework. I have created an internal ticket for this false negative. We will address it in the future but I can’t tell you when.

1 Like