Fix S6964 FP: Properties decorated with the [BindNever] attribute

zsolt-kolbay-sonarsource · zsolt-kolbay-sonarsource · commit cab38c087f1e · 2024-05-30T11:26:24.000+02:00
diff --git a/analyzers/src/SonarAnalyzer.CSharp/Rules/AspNet/AvoidUnderPosting.cs b/analyzers/src/SonarAnalyzer.CSharp/Rules/AspNet/AvoidUnderPosting.cs
@@ -115,6 +115,7 @@ private static void GetAllDeclaredProperties(ITypeSymbol type, ConcurrentDiction
                 .Where(x => x.GetEffectiveAccessibility() == Accessibility.Public
                     && x.SetMethod?.DeclaredAccessibility is Accessibility.Public
                     && !HasValidateNeverAttribute(x)
+                    && !x.HasAttribute(KnownType.Microsoft_AspNetCore_Mvc_ModelBinding_BindNeverAttribute)
                     && x.DeclaringSyntaxReferences.Length > 0
                     && !IgnoreType(x.Type));
             foreach (var property in properties)
@@ -140,7 +141,8 @@ private static IEnumerable<INamedTypeSymbol> RelatedTypesToExamine(ITypeSymbol t
             IArrayTypeSymbol array => RelatedTypesToExamine(array.ElementType, controllerType),
             INamedTypeSymbol collection when collection.DerivesOrImplements(KnownType.System_Collections_Generic_IEnumerable_T) =>
                 collection.TypeArguments.SelectMany(x => RelatedTypesToExamine(x, controllerType)),
-            INamedTypeSymbol namedType when type.IsInSameAssembly(controllerType) => [namedType],
+            INamedTypeSymbol namedType when type.IsInSameAssembly(controllerType)
+                && !type.HasAttribute(KnownType.Microsoft_AspNetCore_Mvc_ModelBinding_BindNeverAttribute) => [namedType],
             _ => []
         };
 
diff --git a/analyzers/src/SonarAnalyzer.Common/Helpers/KnownType.cs b/analyzers/src/SonarAnalyzer.Common/Helpers/KnownType.cs
@@ -101,6 +101,7 @@ public sealed partial class KnownType
         public static readonly KnownType Microsoft_AspNetCore_Mvc_IActionResult = new("Microsoft.AspNetCore.Mvc.IActionResult");
         public static readonly KnownType Microsoft_AspNetCore_Mvc_IgnoreAntiforgeryTokenAttribute = new("Microsoft.AspNetCore.Mvc.IgnoreAntiforgeryTokenAttribute");
         public static readonly KnownType Microsoft_AspNetCore_Mvc_Infrastructure_ActionResultObjectValueAttribute = new("Microsoft.AspNetCore.Mvc.Infrastructure.ActionResultObjectValueAttribute");
+        public static readonly KnownType Microsoft_AspNetCore_Mvc_ModelBinding_BindNeverAttribute = new("Microsoft.AspNetCore.Mvc.ModelBinding.BindNeverAttribute");
         public static readonly KnownType Microsoft_AspNetCore_Mvc_ModelBinding_ModelStateDictionary = new("Microsoft.AspNetCore.Mvc.ModelBinding.ModelStateDictionary");
         public static readonly KnownType Microsoft_AspNetCore_Mvc_ModelBinding_Validation_ValidateNeverAttribute = new("Microsoft.AspNetCore.Mvc.ModelBinding.Validation.ValidateNeverAttribute");
         public static readonly KnownType Microsoft_AspNetCore_Mvc_NonActionAttribute = new("Microsoft.AspNetCore.Mvc.NonActionAttribute");
diff --git a/analyzers/tests/SonarAnalyzer.Test/TestCases/AspNet/AvoidUnderPosting.cs b/analyzers/tests/SonarAnalyzer.Test/TestCases/AspNet/AvoidUnderPosting.cs
@@ -1,4 +1,5 @@
 ﻿using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.ModelBinding;
 using Microsoft.AspNetCore.Mvc.ModelBinding.Validation;
 using System;
 using System.Collections.Generic;
@@ -302,3 +303,23 @@ public bool IsProperty // Noncompliant
         set;
     }
 }
+
+namespace UsingBindNeverAttribute
+{
+    public class ModelWithBindNeverProperty
+    {
+        [BindNever] public int ValueProperty { get; set; }
+    }
+
+    [BindNever]
+    public class EntireModelWithBindNeverAttribute
+    {
+        public int ValueProperty { get; set; }
+    }
+
+    public class CustomController : Controller
+    {
+        [HttpGet] public IActionResult Get(ModelWithBindNeverProperty model) => View(model);
+        [HttpPost] public IActionResult Post(EntireModelWithBindNeverAttribute model) => View(model);
+    }
+}
