Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

make sure each controller method has a ValidateAntiForgeryToken attribute?

Tags:

security

asp.net-mvc

Is there any way to centralize enforcement that every action method must have a "ValidateAntiForgeryToken" attribute? I'm thinking it would have to be done by extending one the "routing" classes.

Edit: Or maybe do some reflection at application startup?

like image 860
JoelFan Avatar asked Dec 21 '09 03:12

JoelFan

2 Answers

Yes. You can do this by creating your own BaseController that inherits the Mvc Controller, and overloads the OnAuthorization(). You want to make sure it is a POST event before enforcing it:

public abstract class MyBaseController : Controller
{
  protected override void OnAuthorization(AuthorizationContext filterContext)
  {
    //enforce anti-forgery stuff for HttpVerbs.Post
    if (String.Compare(filterContext.HttpContext.Request.HttpMethod,
          System.Net.WebRequestMethods.Http.Post, true) == 0)
    {
      var forgery = new ValidateAntiForgeryTokenAttribute();
      forgery.OnAuthorization(filterContext);
    }
    base.OnAuthorization(filterContext);
  }
}

Once you have that, make sure all of your controllers inherit from this MyBaseController (or whatever you call it). Or you can do it on each Controller if you like with the same code.

like image 124
eduncan911 Avatar answered Sep 22 '22 19:09

eduncan911

Sounds like you're trying to prevent "oops I forgot to set that" bugs. If so I think the best place to do this is with a custom ControllerActionInvoker.

Essentially what you want to do is stop MVC from even finding an action without a AntiForgery token:

public class MustHaveAntiForgeryActionInvoker : ControllerActionInvoker
{
    protected override ActionDescriptor FindAction(ControllerContext controllerContext, ControllerDescriptor controllerDescriptor, string actionName)
    {
        var foundAction = base.FindAction(controllerContext, controllerDescriptor, actionName);

        if( foundAction.GetCustomAttributes(typeof(ValidateAntiForgeryTokenAttribute), true ).Length == 0 )
            throw new InvalidOperationException("Can't find a secure action method to execute");

        return foundAction;
    }
}

Then in your controller, preferably your base controller:

ActionInvoker = new MustHaveAntiForgeryActionInvoker();

Just wanted to add that custom Controller base classes tend to get "thick" and imo its always best practice to use MVC's brilliant extensibility points to hook in the features you need where they belong.

Here is a good guide of most of MVC's extensibility points: http://codeclimber.net.nz/archive/2009/04/08/13-asp.net-mvc-extensibility-points-you-have-to-know.aspx

like image 29
John Farrell Avatar answered Sep 22 '22 19:09

John Farrell
Sign in to Comment

Related questions

EditorFor() for a List of Complex Type (MVC)
Set a string column to nullable in EF6
Why is this web api controller not concurrent?
Auto generate action in controller MVC
The "GenerateResource" task failed unexpectedly null reference exception
Bootswatch theme not working correctly
400 Bad Request when POST-ing to Razor Page
Error: Action has more than one parameter bound from request body
Alphabetically Ordering a SelectList in MVC
Find differences between two entities of the same type
How to Convert Row to Column in Linq and SQL
Should service layer have access to HttpContext?
How ASP .NET MVC architecture fits into the traditional multi layered architecture
Why I do not have access rights on the server?
How to access private variables using { get; set; }
Mono MVC5 - Views don't work
MVC DataAnnotation Accept No Spaces
HTTP Error 500: localhost is currently unable to handle this request
Scaffolding error : deps.json doesn't exist
Expire Output Cache ASP.Net MVC

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!