semgrep-rules icon indicating copy to clipboard operation
semgrep-rules copied to clipboard
verified publisher icon semgrep

False positive on csharp.dotnet.security.audit.mass-assignment

Open Sjord opened this issue 3 years ago • 0 comments

https://github.com/returntocorp/semgrep-rules/blob/develop/csharp/dotnet/security/audit/mass-assignment.yaml

     csharp.dotnet.security.audit.mass-assignment.mass-assignment
        Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-
        posting attacks, which could create a new parameter in the binding request and manipulate
        the underlying object in the application.
        Details: https://sg.run/7B3e
         30┆ [HttpGet("/")]
         31┆ public IActionResult Index()
         32┆ {
         33┆     return NoContent();
         34┆ }

This method does not accept POST, takes no parameters and does nothing. I think the rule at least needs to check for parameters and non-GET methods.

Sjord avatar Aug 01 '22 09:08 Sjord