[csharp] Potential False Positive: Missing cross-site request forgery token validation

[thedave04]

I have a setup where I apply the [AutoValidateAntiforgeryToken] attribute to a base controller class that all my other controller classes inherit from. This results in CSRF token validation occurring for all unsafe action methods in my controllers. However, I am getting the "Missing cross-site request forgery token validation" warning due to my unsafe action methods such as POST request handlers not having the [ValidateAntiForgeryToken] attribute. I have checked that the antiforgery token validation is indeed getting done.

Example:

[AutoValidateAntiforgeryToken]
public abstract class BaseController : Controller
{
    ...
}

public class ProjectController : BaseController
{
    ...

    [HttpPost]
    public async Task<ActionResult> SampleMethod 
    {
        ...
    }
}

[redsun82]

👋 @thedave04 thanks for this report. It seems we indeed don't check on inherited attributes for this. While usually we don't currently prioritize fixing false positives, this seemed like an easy problem to fix, so I've opened #21265 for this 🙌