Merge pull request #21265 from github/redsun82/csharp-csrf-inheritance

redsun82 · web-flow · commit 05bef12dddd5 · 2026-02-05T14:20:30.000+01:00
C#: Fix CSRF query to check antiforgery attributes on base classes
diff --git a/csharp/ql/src/Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql b/csharp/ql/src/Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql
@@ -54,12 +54,12 @@ predicate hasGlobalAntiForgeryFilter() {
 predicate isUnvalidatedPostMethod(Class c, Method m) {
   c.(Controller).getAPostActionMethod() = m and
   not m.getAnAttribute() instanceof ValidateAntiForgeryTokenAttribute and
-  not c.getAnAttribute() instanceof ValidateAntiForgeryTokenAttribute
+  not c.getABaseType*().getAnAttribute() instanceof ValidateAntiForgeryTokenAttribute
   or
   c.(AspNetCore::MicrosoftAspNetCoreMvcController).getAnActionMethod() = m and
   m.getAnAttribute() instanceof AspNetCore::MicrosoftAspNetCoreMvcHttpPostAttribute and
   not m.getAnAttribute() instanceof AspNetCore::ValidateAntiForgeryAttribute and
-  not c.getAnAttribute() instanceof AspNetCore::ValidateAntiForgeryAttribute
+  not c.getABaseType*().getAnAttribute() instanceof AspNetCore::ValidateAntiForgeryAttribute
 }
 
 Element getAValidatedElement() {
diff --git a/csharp/ql/src/change-notes/2026-02-04-csrf-inherited-attribute.md b/csharp/ql/src/change-notes/2026-02-04-csrf-inherited-attribute.md
@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* The `cs/web/missing-token-validation` ("Missing cross-site request forgery token validation") query now recognizes antiforgery attributes on base controller classes, fixing false positives when `[ValidateAntiForgeryToken]` or `[AutoValidateAntiforgeryToken]` is applied to a parent class.
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-352/missing-aspnetcore/MissingAntiForgeryTokenValidation.cs b/csharp/ql/test/query-tests/Security Features/CWE-352/missing-aspnetcore/MissingAntiForgeryTokenValidation.cs
@@ -29,3 +29,34 @@ public void UtilityMethod()
     {
     }
 }
+
+// GOOD: Base class has AutoValidateAntiforgeryToken attribute
+[AutoValidateAntiforgeryToken]
+public abstract class BaseController : Controller
+{
+}
+
+public class DerivedController : BaseController
+{
+    // GOOD: Inherits antiforgery validation from base class
+    [HttpPost]
+    public ActionResult InheritedValidation()
+    {
+        return View();
+    }
+}
+
+// BAD: Base class without antiforgery attribute
+public abstract class UnprotectedBaseController : Controller
+{
+}
+
+public class DerivedUnprotectedController : UnprotectedBaseController
+{
+    // BAD: No antiforgery validation on this or any base class
+    [HttpPost]
+    public ActionResult NoInheritedValidation()
+    {
+        return View();
+    }
+}
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-352/missing-aspnetcore/MissingAntiForgeryTokenValidation.expected b/csharp/ql/test/query-tests/Security Features/CWE-352/missing-aspnetcore/MissingAntiForgeryTokenValidation.expected
@@ -1 +1,2 @@
 | MissingAntiForgeryTokenValidation.cs:7:25:7:29 | Login | Method 'Login' handles a POST request without performing CSRF token validation. |
+| MissingAntiForgeryTokenValidation.cs:58:25:58:45 | NoInheritedValidation | Method 'NoInheritedValidation' handles a POST request without performing CSRF token validation. |
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-352/missing/MissingAntiForgeryTokenValidation.cs b/csharp/ql/test/query-tests/Security Features/CWE-352/missing/MissingAntiForgeryTokenValidation.cs
@@ -29,3 +29,34 @@ public void UtilityMethod()
     {
     }
 }
+
+// GOOD: Base class has ValidateAntiForgeryToken attribute
+[ValidateAntiForgeryToken]
+public abstract class BaseController : Controller
+{
+}
+
+public class DerivedController : BaseController
+{
+    // GOOD: Inherits antiforgery validation from base class
+    [HttpPost]
+    public ActionResult InheritedValidation()
+    {
+        return View();
+    }
+}
+
+// BAD: Base class without antiforgery attribute
+public abstract class UnprotectedBaseController : Controller
+{
+}
+
+public class DerivedUnprotectedController : UnprotectedBaseController
+{
+    // BAD: No antiforgery validation on this or any base class
+    [HttpPost]
+    public ActionResult NoInheritedValidation()
+    {
+        return View();
+    }
+}
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-352/missing/MissingAntiForgeryTokenValidation.expected b/csharp/ql/test/query-tests/Security Features/CWE-352/missing/MissingAntiForgeryTokenValidation.expected
@@ -1 +1,2 @@
 | MissingAntiForgeryTokenValidation.cs:7:25:7:29 | Login | Method 'Login' handles a POST request without performing CSRF token validation. |
+| MissingAntiForgeryTokenValidation.cs:58:25:58:45 | NoInheritedValidation | Method 'NoInheritedValidation' handles a POST request without performing CSRF token validation. |

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: fix
 +---
 +* The `cs/web/missing-token-validation` ("Missing cross-site request forgery token validation") query now recognizes antiforgery attributes on base controller classes, fixing false positives when `[ValidateAntiForgeryToken]` or `[AutoValidateAntiforgeryToken]` is applied to a parent class.
Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`	`1`	`\| MissingAntiForgeryTokenValidation.cs:7:25:7:29 \| Login \| Method 'Login' handles a POST request without performing CSRF token validation. \|`
	`2`	`+\| MissingAntiForgeryTokenValidation.cs:58:25:58:45 \| NoInheritedValidation \| Method 'NoInheritedValidation' handles a POST request without performing CSRF token validation. \|`