Veracode flagging api action with optional parameters for not having input validation

Asked Dec 18 '17 at 16:40

Active Dec 19 '17 at 15:53

Viewed 319 times

I'm using dot.net WebApi2 and I'm getting Veracode Flaw from code scan:

'The Controller's Action is missing a Route Attribute that will perform input validation on Action parameters using a Route Constraint.... Remediation: Make sure to use RouteAttribute objects with a Route Constraint on each Action'

The action referred to is:

[Route]
[HttpGet]
public IHttpActionResult Get(int? offset = null, int? rows = null)
{
    ...
}

Since I only have optional parameters, they are not specified in the Route attribute. If I do by changing thr route annotation to:

[Route("{offset:int?}/{rows:int?}"]

the route would show in the swagger api help page like this:

GET /api/v1/foo/{offset}/{rows}

instead of (what we want to show):

GET /api/v1/foo

the help page would also have those parameters marked as required, even though they should not be.

Is there a way I can please Veracode and not spoil my swagger doc's?

edited Dec 19 '17 at 15:53

asked Dec 18 '17 at 16:40

Alex

did you find a solution? – Tim Amet Mar 04 '19 at 15:16
1

nope. ended up mitigating it – Alex Mar 04 '19 at 20:35

Veracode flagging api action with optional parameters for not having input validation

0 Answers0