3

I'm having a POST method in my ASP.NET core web API which takes a model as a parameter (binding POST content directly to model). The model contains all the parameters as optional parameters. While scanning the web service using Veracode, I get flaw-1 with CSE 915 (Insufficient input validation for ErrorReporter Service reasons.) which is the possible scenario for MVC EF application.

I have gone through the article. It is saying to use Bind attribute with Include and Exclude properties. But in my case, I don't have any parameter which is mandatory to pass in the model.

Is there any alternative to resolve this or any attribute using which I can remove the Veracode scan for this specific method in the code itself.

Harshvardhan Chittora
  • 137
  • 1
  • 10
  • 2
    I have the same problem, also using ASP.NET Core web api. I have tried adding the [Bind] attribute to the parameter of my controller action, but I still get the warning. I hate Veracode. – Matt Frear Sep 11 '18 at 08:49
  • I resolved this issue by choosing "Mitigate by Design" on the Veracode report, and writing that my request uses a viewmodel so it is not an issue. – Matt Frear Sep 11 '18 at 09:12
  • Yeah, for now, I have mitigated the issue as it will not exploit in our case but I just wanted to know what could be the possible solutions to resolve this. @MattFrear – Harshvardhan Chittora Sep 11 '18 at 14:13

1 Answers1

-2

Insufficient Input Validation is caused by using the user input directly to take decisions and it can be overcome by sanitizing the taken input.

var userInput = new Sanitize(userInput).Value;

This Sanitize method could be put in appropriate class of your project

public Sanitize(dynamic input)
{
    string inputValue = Convert.ToString(input);
    Value = inputValue.Replace("<", "").Replace(">", "");
}
Siddhesh113
  • 1
  • 1