SG0016 - allow user to change/add to the Token checking attribute name

[duncan-bradley]

I have a custom attribute for token checking, and it would be greate to be able to add this to the attribute list that RSG uses. So, instead of [ValidateAntiForgeryToken], I have one called [ValidateAntiForgeryHeader] which finds the token in the http headers, rather than just in the body.

[felickz]

The "SG0016 Controller method is vulnerable to CSRF" rule also conflicts with some newer patterns for auto validating CSRF tokens in .NET core .

Filters.Add(new AutoValidateAntiforgeryTokenAttribute());

Is there any pattern for detecting this attribute is globally applied and disable SG00016? Potentially here SG00016 could apply to the use of the ignore attribute.

AutoValidateAntiforgeryTokenAttribute can be applied as a global filter to trigger validation of antiforgery tokens by default for an application.

Also, we should call out the usage of IgnoreAntiforgeryTokenAttribute here.

Blog explaining the topic: https://andrewlock.net/automatically-validating-anti-forgery-tokens-in-asp-net-core-with-the-autovalidateantiforgerytokenattribute/