New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix IndexOutOfRangeException bug of CA5391. #2857
Fix IndexOutOfRangeException bug of CA5391. #2857
Conversation
…ng if only look at Controller-derived classes.
…LLLXXXCCC/roslyn-analyzers into UseAutoValidateAntiforgeryToken
@LLLXXXCCC minor suggestion - if your PR closes a specific issue, then you can add a |
src/Microsoft.NetCore.Analyzers/Core/Security/UseAutoValidateAntiforgeryToken.cs
Show resolved
Hide resolved
src/Microsoft.NetCore.Analyzers/Core/Security/UseAutoValidateAntiforgeryToken.cs
Outdated
Show resolved
Hide resolved
@@ -340,7 +350,8 @@ void FindAllTheSpecifiedCalleeMethods(ISymbol methodSymbol, HashSet<ISymbol> vis | |||
|
|||
foreach (var child in callingMethods.Keys) | |||
{ | |||
if (onAuthorizationAsyncMethodSymbols.Contains(child)) | |||
if (child is IMethodSymbol childMethodSymbol && | |||
onAuthorizationAsyncMethodSymbols.ContainsKey(childMethodSymbol)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we know where the IndexOutOfRangeException was being thrown? I presume it is in the indexer access below results[methodSymbol]
? If so, I am not sure how this PR would fix that exception.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@LLLXXXCCC based on your guess of the exception is a thread safety issue, I've come up with an unreliable repro (get the rule to trigger when there are multiple controllers in the project).
https://github.com/dotpaul/repro2844
Replace the Microsoft.NetCore.Analyzers.dll with your own build (maybe with Debugger.Launch()
somewhere so you can catch the exceptions), and try building / rebuilding multiple times.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, don't remember if I got IndexOutOfRangeExceptions, but definitely ran into some others like:
warning AD0001: Analyzer 'Microsoft.NetCore.Analyzers.Security.UseAutoValidateAntiforgeryToken' threw an exception of type 'System.ArgumentException' with message 'Destination array was not long enough. Check destIndex and length, and the array's lower bounds.'.
warning AD0001: Analyzer 'Microsoft.NetCore.Analyzers.Security.UseAutoValidateAntiforgeryToken' threw an exception of type 'System.NullReferenceException' with message 'Object reference not set to an instance of an object.'.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think these might all be likely due to use of non-concurrent data structure in this analyzer.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@LLLXXXCCC were you able to repro some exceptions being thrown, and verify your changes don't have exceptions?
Would probably be a good idea to see if a unit test with multiple controllers can repro (and should have one anyway).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I can reproduce the two warnings you mentioned and the IndexOutOfRangeException. For now, the fix works well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add a unit test that contains multiple (like 4 or 5) controllers and produces diagnostics, so that we have a test committed that reproduces the original problem.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd let @dotpaul review the overall PR, but am interested in knowing which change fixes the IndexOutOfRangeException.
src/Microsoft.NetCore.Analyzers/Core/Security/UseAutoValidateAntiforgeryToken.cs
Show resolved
Hide resolved
@@ -215,9 +224,10 @@ public override void Initialize(AnalysisContext context) | |||
var derivedControllerTypeSymbol = (INamedTypeSymbol)symbolAnalysisContext.Symbol; | |||
var baseTypes = derivedControllerTypeSymbol.GetBaseTypes(); | |||
|
|||
// An subtype of `Microsoft.AspNetCore.Mvc.Controller` or `Microsoft.AspNetCore.Mvc.ControllerBase`). | |||
// An subtype of `Microsoft.AspNetCore.Mvc.Controller`, which indicates that cookie-based authentication is used and thus CSRF is a concern. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
which indicates that cookie-based authentication is used and thus CSRF is a concern. [](start = 76, length = 84)
which probably indicates views are used and maybe cookie-based authentication is used and thus CSRF is a concern.
(Can't be sure. 🙂)
Co-Authored-By: Genevieve Warren <gewarren@microsoft.com>
Co-Authored-By: Genevieve Warren <gewarren@microsoft.com>
Co-Authored-By: Genevieve Warren <gewarren@microsoft.com>
…LLLXXXCCC/roslyn-analyzers into UseAutoValidateAntiforgeryToken
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚢
Fixes #2844