Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AD0001: Analyzer 'Microsoft.NetCore.Analyzers.Security.UseAutoValidateAntiforgeryToken' threw an exception of type 'System.ArgumentNullException' with message 'Value cannot be null.' #4772

Closed
notnotchris opened this issue Feb 3, 2021 · 4 comments · Fixed by #4834
Closed

AD0001: Analyzer 'Microsoft.NetCore.Analyzers.Security.UseAutoValidateAntiforgeryToken' threw an exception of type 'System.ArgumentNullException' with message 'Value cannot be null.' #4772

notnotchris opened this issue Feb 3, 2021 · 4 comments · Fixed by #4834
Labels
Area-Microsoft.CodeAnalysis.NetAnalyzers Bug The product is not behaving according to its current intended design Category-Security Urgency-Soon
Milestone
.NET 6 Preview 3

Comments

@notnotchris
Copy link

notnotchris commented Feb 3, 2021
edited
Loading

Analyser

AD0001: Analyzer 'Microsoft.NetCore.Analyzers.Security.UseAutoValidateAntiforgeryToken' threw an exception of type 'System.ArgumentNullException' with message 'Value cannot be null.'

Analyser source

SDK: Built-in CA analysers in .NET 5 SDK or later

Version: SDK 5.0.102

Describe the bug

An ArgumentNullException occurs, causing an AD0001 warning, when building a project that registers an asynchronous authorization filter (implements IAsyncAuthorizationFilter) that derives from an abstract class and all rules are enabled by default (<AnalysisMode>AllEnabledByDefault</AnalysisMode> in the project file).

Steps to Reproduce

  1. Create an abstract asynchronous authorization filter.
  2. Create a concrete class that derives from the abstract type.
  3. Register the concrete filter in AddControllers.
  4. Enable all rules by default.
  5. Build the solution/project.

Expected behaviour

Either the project builds successfully without warnings, or the relevant code analysis warning is displayed.

Actual behaviour

An AD0001 warning is generated.

Additional context

Adding the latest NuGet package version (5.0.3) of the analysers makes no difference. The AD0001 warning is still generated.

The AD0001 warning does not occur when all rules are not enabled by default (i.e. <AnalysisMode>AllEnabledByDefault</AnalysisMode> is omitted from the project file).

A minimum repro is available here.
@Youssef1313
Copy link
Member

Youssef1313 commented Feb 3, 2021
edited
Loading

@notnotchris Thanks for the detailed repro steps. The issue happens when the filter used doesn't directly contain "OnAuthorizationAsync" method.

The problematic part of the analyzer implementation is the following:

roslyn-analyzers/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/UseAutoValidateAntiforgeryToken.cs

Lines 196 to 207 in 3fb8781

onAuthorizationAsyncMethodSymbols.TryAdd(
potentialAntiForgeryFilter
.GetMembers()
.OfType<IMethodSymbol>()
.FirstOrDefault(
s => (s.Name == "OnAuthorizationAsync" &&
s.ReturnType.Equals(taskTypeSymbol) ||
s.Name == "OnAuthorization" &&
s.ReturnsVoid) &&
s.Parameters.Length == 1 &&
s.Parameters[0].Type.Equals(authorizationFilterContextTypeSymbol)),
placeholder);

The call to FirstOrDefault will return null, which is passed as the key to onAuthorizationAsyncMethodSymbols.TryAdd

Note: The fix should consider a scenario where the abstract filter has a virtual implementation of OnAuthorizationAsync, which is overriden by the concrete filter. In that case, both potentialAntiForgeryFilter and its base type have OnAuthorizationAsync method symbol. Does it matter which one is added to onAuthorizationAsyncMethodSymbols?

@mavasani mavasani added Area-Microsoft.CodeAnalysis.NetAnalyzers Bug The product is not behaving according to its current intended design Category-Security Urgency-Soon help wanted The issue is up-for-grabs, and can be claimed by commenting labels Feb 9, 2021
@mavasani mavasani added this to the .NET 6 Preview 1 milestone Feb 9, 2021
@mavasani
Copy link
Contributor

mavasani commented Feb 9, 2021

Tagging @dotpaul

@dotpaul
Copy link
Contributor

dotpaul commented Feb 10, 2021

Thanks @notnotchris and @Youssef1313! I will work on a fix.

@dotpaul dotpaul removed the help wanted The issue is up-for-grabs, and can be claimed by commenting label Feb 10, 2021
@dotpaul dotpaul mentioned this issue Feb 11, 2021
Merged
@reduckted reduckted mentioned this issue Feb 12, 2021
Closed
dotpaul added a commit that referenced this issue Feb 17, 2021
@dotpaul
Merge pull request #4834 from dotpaul/fix4772
1981f3c 
Fix #4772
@dotpaul dotpaul mentioned this issue Feb 22, 2021
Merged
@notnotchris
Copy link
Author

@dotpaul when will your fix be released? Is it available in the latest preview release?

@jmarolf jmarolf mentioned this issue Jan 31, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area-Microsoft.CodeAnalysis.NetAnalyzers Bug The product is not behaving according to its current intended design Category-Security Urgency-Soon
Projects
None yet
Milestone
.NET 6 Preview 3
5 participants
@jmarolf @mavasani @notnotchris @Youssef1313 @dotpaul