Fix IndexOutOfRangeException bug of CA5391. #2857
Conversation
…ng if only look at Controller-derived classes.
…LLLXXXCCC/roslyn-analyzers into UseAutoValidateAntiforgeryToken
|
@LLLXXXCCC minor suggestion - if your PR closes a specific issue, then you can add a |
src/Microsoft.NetCore.Analyzers/Core/Security/UseAutoValidateAntiforgeryToken.cs
Show resolved
Hide resolved
src/Microsoft.NetCore.Analyzers/Core/Security/UseAutoValidateAntiforgeryToken.cs
Outdated
Show resolved
Hide resolved
| @@ -340,7 +350,8 @@ void FindAllTheSpecifiedCalleeMethods(ISymbol methodSymbol, HashSet<ISymbol> vis | |||
|
|
|||
| foreach (var child in callingMethods.Keys) | |||
| { | |||
| if (onAuthorizationAsyncMethodSymbols.Contains(child)) | |||
| if (child is IMethodSymbol childMethodSymbol && | |||
| onAuthorizationAsyncMethodSymbols.ContainsKey(childMethodSymbol)) | |||
There was a problem hiding this comment.
Do we know where the IndexOutOfRangeException was being thrown? I presume it is in the indexer access below results[methodSymbol]? If so, I am not sure how this PR would fix that exception.
There was a problem hiding this comment.
@LLLXXXCCC based on your guess of the exception is a thread safety issue, I've come up with an unreliable repro (get the rule to trigger when there are multiple controllers in the project).
https://github.com/dotpaul/repro2844
Replace the Microsoft.NetCore.Analyzers.dll with your own build (maybe with Debugger.Launch() somewhere so you can catch the exceptions), and try building / rebuilding multiple times.
There was a problem hiding this comment.
Also, don't remember if I got IndexOutOfRangeExceptions, but definitely ran into some others like:
warning AD0001: Analyzer 'Microsoft.NetCore.Analyzers.Security.UseAutoValidateAntiforgeryToken' threw an exception of type 'System.ArgumentException' with message 'Destination array was not long enough. Check destIndex and length, and the array's lower bounds.'.
warning AD0001: Analyzer 'Microsoft.NetCore.Analyzers.Security.UseAutoValidateAntiforgeryToken' threw an exception of type 'System.NullReferenceException' with message 'Object reference not set to an instance of an object.'.
There was a problem hiding this comment.
I think these might all be likely due to use of non-concurrent data structure in this analyzer.
There was a problem hiding this comment.
@LLLXXXCCC were you able to repro some exceptions being thrown, and verify your changes don't have exceptions?
Would probably be a good idea to see if a unit test with multiple controllers can repro (and should have one anyway).
There was a problem hiding this comment.
Yes, I can reproduce the two warnings you mentioned and the IndexOutOfRangeException. For now, the fix works well.
There was a problem hiding this comment.
Please add a unit test that contains multiple (like 4 or 5) controllers and produces diagnostics, so that we have a test committed that reproduces the original problem.
src/Microsoft.NetCore.Analyzers/Core/Security/UseAutoValidateAntiforgeryToken.cs
Show resolved
Hide resolved
| @@ -215,9 +224,10 @@ public override void Initialize(AnalysisContext context) | |||
| var derivedControllerTypeSymbol = (INamedTypeSymbol)symbolAnalysisContext.Symbol; | |||
| var baseTypes = derivedControllerTypeSymbol.GetBaseTypes(); | |||
|
|
|||
| // An subtype of `Microsoft.AspNetCore.Mvc.Controller` or `Microsoft.AspNetCore.Mvc.ControllerBase`). | |||
| // An subtype of `Microsoft.AspNetCore.Mvc.Controller`, which indicates that cookie-based authentication is used and thus CSRF is a concern. | |||
There was a problem hiding this comment.
which indicates that cookie-based authentication is used and thus CSRF is a concern. [](start = 76, length = 84)
which probably indicates views are used and maybe cookie-based authentication is used and thus CSRF is a concern.
(Can't be sure. 🙂)
Co-Authored-By: Genevieve Warren <gewarren@microsoft.com>
Co-Authored-By: Genevieve Warren <gewarren@microsoft.com>
Co-Authored-By: Genevieve Warren <gewarren@microsoft.com>
…LLLXXXCCC/roslyn-analyzers into UseAutoValidateAntiforgeryToken
Fixes #2844