OdataToEntity icon indicating copy to clipboard operation
OdataToEntity copied to clipboard

Published 20 hours ago verified publisher icon voronov-maxim

Potential CWE-352 vulnerability in OdataToEntity.AspNetCore

Open dshalkhakov opened this issue 5 years ago • 1 comments

Hello,

So I've run a SAST scan with a certain tool against OdataToEntity source code and it uncovered the following issue: CWE-352 in OdataToEntity.AspNetCore.OeBatchController BatchCore() and Batch() methods.

I think it should be fixed on the application level, not by the library, by introducing CSRF token middleware or authorization filter. The OeBatchController can also be made abstract so that the responsibility for CSRF prevention be moved to the calling application.

Thoughts?

Cheers, Dmitry

dshalkhakov avatar May 20 '20 11:05 dshalkhakov

ValidateAntiForgeryTokenAttribute can help?

voronov-maxim avatar May 20 '20 23:05 voronov-maxim