Merge pull request #2178 from LingxiaChen/DoNotDisableRequestValidation

Do not disable request validation
dotnet · Mar 12, 2019 · 321600d · 321600d
2 parents f81963f + cfb5c4e
commit 321600d
Show file tree

Hide file tree

Showing 17 changed files with 435 additions and 0 deletions.
diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/DoNotDisableRequestValidation.cs b/src/Microsoft.NetCore.Analyzers/Core/Security/DoNotDisableRequestValidation.cs
@@ -0,0 +1,85 @@
+// Copyright (c) Microsoft.  All Rights Reserved.  Licensed under the Apache License, Version 2.0.  See License.txt in the project root for license information.
+
+using System.Collections.Immutable;
+using System.Linq;
+using Analyzer.Utilities;
+using Analyzer.Utilities.Extensions;
+using Microsoft.CodeAnalysis;
+using Microsoft.CodeAnalysis.Diagnostics;
+
+namespace Microsoft.NetCore.Analyzers.Security
+{
+    [DiagnosticAnalyzer(LanguageNames.CSharp, LanguageNames.VisualBasic)]
+    public sealed class DoNotDisableRequestValidation : DiagnosticAnalyzer
+    {
+        internal const string DiagnosticId = "CA5363";
+        private static readonly LocalizableString s_Title = new LocalizableResourceString(
+            nameof(SystemSecurityCryptographyResources.DoNotDisableRequestValidation),
+            SystemSecurityCryptographyResources.ResourceManager,
+            typeof(SystemSecurityCryptographyResources));
+        private static readonly LocalizableString s_Message = new LocalizableResourceString(
+            nameof(SystemSecurityCryptographyResources.DoNotDisableRequestValidationMessage),
+            SystemSecurityCryptographyResources.ResourceManager,
+            typeof(SystemSecurityCryptographyResources));
+        private static readonly LocalizableString s_Description = new LocalizableResourceString(
+            nameof(SystemSecurityCryptographyResources.DoNotDisableRequestValidationDescription),
+            SystemSecurityCryptographyResources.ResourceManager,
+            typeof(SystemSecurityCryptographyResources));
+
+        internal static DiagnosticDescriptor Rule = new DiagnosticDescriptor(
+                DiagnosticId,
+                s_Title,
+                s_Message,
+                DiagnosticCategory.Security,
+                DiagnosticHelpers.DefaultDiagnosticSeverity,
+                isEnabledByDefault: DiagnosticHelpers.EnabledByDefaultIfNotBuildingVSIX,
+                description: s_Description,
+                helpLinkUri: null,
+                customTags: WellKnownDiagnosticTags.Telemetry);
+
+        public override ImmutableArray<DiagnosticDescriptor> SupportedDiagnostics => ImmutableArray.Create(Rule);
+
+        public override void Initialize(AnalysisContext context)
+        {
+            context.EnableConcurrentExecution();
+
+            // Security analyzer - analyze and report diagnostics on generated code.
+            context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);
+
+            context.RegisterCompilationStartAction(
+                (CompilationStartAnalysisContext compilationStartAnalysisContext) =>
+                {
+                    var validateInputAttributeTypeSymbol = compilationStartAnalysisContext.Compilation.GetTypeByMetadataName(WellKnownTypeNames.SystemWebMvcValidateInputAttribute);
+
+                    if (validateInputAttributeTypeSymbol == null)
+                    {
+                        return;
+                    }
+
+                    compilationStartAnalysisContext.RegisterSymbolAction(
+                        (SymbolAnalysisContext symbolAnalysisContext) =>
+                        {
+                            var symbol = symbolAnalysisContext.Symbol;
+                            var attr = symbol.GetAttributes().FirstOrDefault(s => s.AttributeClass.Equals(validateInputAttributeTypeSymbol));
+
+                            if (attr == null)
+                            {
+                                return;
+                            }
+
+                            var constructorArguments = attr.ConstructorArguments;
+
+                            if (constructorArguments.Length == 1 &&
+                                constructorArguments[0].Kind == TypedConstantKind.Primitive &&
+                                constructorArguments[0].Value.Equals(false))
+                            {
+                                symbolAnalysisContext.ReportDiagnostic(
+                                    symbol.CreateDiagnostic(
+                                        Rule,
+                                        symbol.Name));
+                            }
+                        }, SymbolKind.Method, SymbolKind.NamedType);
+                });
+        }
+    }
+}
diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/SystemSecurityCryptographyResources.resx b/src/Microsoft.NetCore.Analyzers/Core/Security/SystemSecurityCryptographyResources.resx
@@ -144,6 +144,15 @@
   <data name="DoNotDisableCertificateValidationMessage" xml:space="preserve">
     <value>The ServerCertificateValidationCallback is set to a function that accepts any server certificate, by always returning true. Ensure that server certificates are validated to verify the identity of the server receiving requests.</value>
   </data>
+  <data name="DoNotDisableRequestValidation" xml:space="preserve">
+    <value>Do Not Disable Request Validation</value>
+  </data>
+  <data name="DoNotDisableRequestValidationDescription" xml:space="preserve">
+    <value>Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content. This check adds protection from markup or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes. So, it is generally desirable and should be left enabled for defense in depth.</value>
+  </data>
+  <data name="DoNotDisableRequestValidationMessage" xml:space="preserve">
+    <value>The method {0} has request validation disabled</value>
+  </data>
   <data name="DoNotDisableSchUseStrongCrypto" xml:space="preserve">
     <value>Do Not Disable SChannel Use of Strong Crypto</value>
   </data>

diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.cs.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.cs.xlf
@@ -47,6 +47,21 @@
         <target state="translated">Vlastnost ServerCertificateValidationCallback je nastavená na funkci, která přijímá libovolný certifikát serveru, protože vždy vrací hodnotu true. Dbejte na to, aby se certifikáty serverů ověřovaly a měli jste jistotu o identitě serveru přijímajícího požadavky.</target>
         <note />
       </trans-unit>
+      <trans-unit id="DoNotDisableRequestValidation">
+        <source>Do Not Disable Request Validation</source>
+        <target state="new">Do Not Disable Request Validation</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="DoNotDisableRequestValidationDescription">
+        <source>Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content. This check adds protection from markup or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes. So, it is generally desirable and should be left enabled for defense in depth.</source>
+        <target state="new">Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content. This check adds protection from markup or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes. So, it is generally desirable and should be left enabled for defense in depth.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="DoNotDisableRequestValidationMessage">
+        <source>The method {0} has request validation disabled</source>
+        <target state="new">The method {0} has request validation disabled</target>
+        <note />
+      </trans-unit>
       <trans-unit id="DoNotDisableSchUseStrongCrypto">
         <source>Do Not Disable SChannel Use of Strong Crypto</source>
         <target state="new">Do Not Disable SChannel Use of Strong Crypto</target>

diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.de.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.de.xlf
@@ -47,6 +47,21 @@
         <target state="translated">Die ServerCertificateValidationCallback-Eigenschaft wurde auf eine Funktion festgelegt, die alle Serverzertifikate akzeptiert, indem immer "true" zurückgegeben wird. Stellen Sie sicher, dass die Serverzertifikate darauf ausgelegt sind, die Identität des Servers zu überprüfen, der Anforderungen erhält.</target>
         <note />
       </trans-unit>
+      <trans-unit id="DoNotDisableRequestValidation">
+        <source>Do Not Disable Request Validation</source>
+        <target state="new">Do Not Disable Request Validation</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="DoNotDisableRequestValidationDescription">
+        <source>Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content. This check adds protection from markup or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes. So, it is generally desirable and should be left enabled for defense in depth.</source>
+        <target state="new">Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content. This check adds protection from markup or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes. So, it is generally desirable and should be left enabled for defense in depth.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="DoNotDisableRequestValidationMessage">
+        <source>The method {0} has request validation disabled</source>
+        <target state="new">The method {0} has request validation disabled</target>
+        <note />
+      </trans-unit>
       <trans-unit id="DoNotDisableSchUseStrongCrypto">
         <source>Do Not Disable SChannel Use of Strong Crypto</source>
         <target state="new">Do Not Disable SChannel Use of Strong Crypto</target>

diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.es.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.es.xlf
@@ -47,6 +47,21 @@
         <target state="translated">ServerCertificateValidationCallback está establecido en una función que acepta cualquier certificado de servidor, devolviendo siempre el valor "true". Asegúrese de que los certificados de servidor estén validados para verificar la identidad del servidor que recibe las peticiones.</target>
         <note />
       </trans-unit>
+      <trans-unit id="DoNotDisableRequestValidation">
+        <source>Do Not Disable Request Validation</source>
+        <target state="new">Do Not Disable Request Validation</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="DoNotDisableRequestValidationDescription">
+        <source>Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content. This check adds protection from markup or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes. So, it is generally desirable and should be left enabled for defense in depth.</source>
+        <target state="new">Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content. This check adds protection from markup or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes. So, it is generally desirable and should be left enabled for defense in depth.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="DoNotDisableRequestValidationMessage">
+        <source>The method {0} has request validation disabled</source>
+        <target state="new">The method {0} has request validation disabled</target>
+        <note />
+      </trans-unit>
       <trans-unit id="DoNotDisableSchUseStrongCrypto">
         <source>Do Not Disable SChannel Use of Strong Crypto</source>
         <target state="new">Do Not Disable SChannel Use of Strong Crypto</target>

diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.fr.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.fr.xlf
@@ -47,6 +47,21 @@
         <target state="translated">ServerCertificateValidationCallback est défini sur une fonction qui accepte n'importe quel certificat de serveur en retournant toujours la valeur true. Veillez à ce que ces certificats de serveur soient validés pour vérifier l'identité du serveur qui reçoit les demandes.</target>
         <note />
       </trans-unit>
+      <trans-unit id="DoNotDisableRequestValidation">
+        <source>Do Not Disable Request Validation</source>
+        <target state="new">Do Not Disable Request Validation</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="DoNotDisableRequestValidationDescription">
+        <source>Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content. This check adds protection from markup or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes. So, it is generally desirable and should be left enabled for defense in depth.</source>
+        <target state="new">Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content. This check adds protection from markup or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes. So, it is generally desirable and should be left enabled for defense in depth.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="DoNotDisableRequestValidationMessage">
+        <source>The method {0} has request validation disabled</source>
+        <target state="new">The method {0} has request validation disabled</target>
+        <note />
+      </trans-unit>
       <trans-unit id="DoNotDisableSchUseStrongCrypto">
         <source>Do Not Disable SChannel Use of Strong Crypto</source>
         <target state="new">Do Not Disable SChannel Use of Strong Crypto</target>

diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.it.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.it.xlf
@@ -47,6 +47,21 @@
         <target state="translated">ServerCertificateValidationCallback è impostato su una funzione che accetta qualsiasi certificato del server, restituendo sempre true. Assicurarsi che i certificati del server siano convalidati per verificare l'identità del server che riceve le richieste.</target>
         <note />
       </trans-unit>
+      <trans-unit id="DoNotDisableRequestValidation">
+        <source>Do Not Disable Request Validation</source>
+        <target state="new">Do Not Disable Request Validation</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="DoNotDisableRequestValidationDescription">
+        <source>Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content. This check adds protection from markup or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes. So, it is generally desirable and should be left enabled for defense in depth.</source>
+        <target state="new">Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content. This check adds protection from markup or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes. So, it is generally desirable and should be left enabled for defense in depth.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="DoNotDisableRequestValidationMessage">
+        <source>The method {0} has request validation disabled</source>
+        <target state="new">The method {0} has request validation disabled</target>
+        <note />
+      </trans-unit>
       <trans-unit id="DoNotDisableSchUseStrongCrypto">
         <source>Do Not Disable SChannel Use of Strong Crypto</source>
         <target state="new">Do Not Disable SChannel Use of Strong Crypto</target>

diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ja.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ja.xlf
@@ -47,6 +47,21 @@
         <target state="translated">ServerCertificateValidationCallback は、常時 true を返すことによってあらゆるサーバー証明書を受け入れる関数に設定されます。要求を受信するサーバーの ID を確認するサーバー証明書が検証されるようにします。</target>
         <note />
       </trans-unit>
+      <trans-unit id="DoNotDisableRequestValidation">
+        <source>Do Not Disable Request Validation</source>
+        <target state="new">Do Not Disable Request Validation</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="DoNotDisableRequestValidationDescription">
+        <source>Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content. This check adds protection from markup or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes. So, it is generally desirable and should be left enabled for defense in depth.</source>
+        <target state="new">Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content. This check adds protection from markup or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes. So, it is generally desirable and should be left enabled for defense in depth.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="DoNotDisableRequestValidationMessage">
+        <source>The method {0} has request validation disabled</source>
+        <target state="new">The method {0} has request validation disabled</target>
+        <note />
+      </trans-unit>
       <trans-unit id="DoNotDisableSchUseStrongCrypto">
         <source>Do Not Disable SChannel Use of Strong Crypto</source>
         <target state="new">Do Not Disable SChannel Use of Strong Crypto</target>

diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ko.xlf b/src/Microsoft.NetCore.Analyzers/Core/Security/xlf/SystemSecurityCryptographyResources.ko.xlf
@@ -47,6 +47,21 @@
         <target state="translated">ServerCertificateValidationCallback은 항상 true를 반환하여 서버 인증서를 허용하는 함수로 설정되어 있습니다. 서버 인증서의 유효성을 검사하여 요청을 받는 서버의 ID를 확인해야 합니다.</target>
         <note />
       </trans-unit>
+      <trans-unit id="DoNotDisableRequestValidation">
+        <source>Do Not Disable Request Validation</source>
+        <target state="new">Do Not Disable Request Validation</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="DoNotDisableRequestValidationDescription">
+        <source>Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content. This check adds protection from markup or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes. So, it is generally desirable and should be left enabled for defense in depth.</source>
+        <target state="new">Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content. This check adds protection from markup or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes. So, it is generally desirable and should be left enabled for defense in depth.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="DoNotDisableRequestValidationMessage">
+        <source>The method {0} has request validation disabled</source>
+        <target state="new">The method {0} has request validation disabled</target>
+        <note />
+      </trans-unit>
       <trans-unit id="DoNotDisableSchUseStrongCrypto">
         <source>Do Not Disable SChannel Use of Strong Crypto</source>
         <target state="new">Do Not Disable SChannel Use of Strong Crypto</target>