C#-CWE-306

Missing authentication for critical functions (CWE-306)

Required inputs: CSharpAST

This rule detects **CWE-306: Missing Authentication for Critical Function** in C# codebases (especially ASP.NET Core). The analyser flags **public methods** that appear *critical* but do not require authentication/authorization. A conservative, explainable heuristic is used to decide if a method is *critical*: * **HTTP mutating attributes**: methods annotated with `[HttpPost]`, `[HttpPut]`, `[HttpDelete]`, or `[HttpPatch]` are considered critical controller actions. * **Method-name heuristics**: method names that start with verbs commonly associated with state changes (e.g., `Create`, `Delete`, `Update`, `Transfer`, `Save`, `Execute`, `Withdraw`, `Deposit`, `Approve`, `Reject`, etc.). * **(Optional/Configurable)** Body-based sensitive-API usage: calls to file I/O, process-start, DB `SaveChanges`/`Execute*`, or other clearly sensitive APIs — those methods are likely critical even if the name doesn't match. The rule issues `missing_authentication` when a public method that matches the "critical" heuristics **does not** have an `[Authorize]` attribute and its containing type also does not provide authorization (and is not explicitly marked `[AllowAnonymous]`). **Why this matters** Critical functions that change state, access sensitive data, or interact with system resources must ensure callers are authenticated and authorized. Missing authentication lets unauthenticated callers trigger sensitive operations. **Examples** Safe controller action (requires authentication):

[Authorize]
[HttpPost]
public IActionResult DeleteUser(int id)
{
    _userService.DeleteUser(id);
    return Ok();
}

Intentional public action (explicit opt-out):

[AllowAnonymous]
[HttpGet]
public IActionResult PublicInfo()
{
    return Ok("This endpoint is intentionally public.");
}

Non-controller critical method that should be protected (example pattern):

public class BankService
{
    // This public transfer method is critical — analyzer will flag it if it lacks [Authorize]
    public void TransferFunds(string from, string to, decimal amount)
    {
        // perform withdraw/deposit
    }
}

**Recommendations / Remediation** * Add `[Authorize]` on controller actions or on controller classes to require authentication. * If an action is intentionally public, mark it `[AllowAnonymous]` so the rule does not report it. * For non-controller public APIs that are critical (e.g., services that perform transfers, payments, file deletions), consider: * Making them internal where possible, or * Ensuring callers perform appropriate authentication/authorization checks, or * Adding a custom `[Authorize]`-like attribute if those methods are entry points in hosted services. * Tune the heuristic lists (verb prefixes, sensitive API types) in the analyser to match your codebase and reduce false positives. **Notes** * This rule is conservative and explainable — it uses deterministic heuristics rather than ML. Teams may wish to: * Add a custom `[Critical]` attribute to explicitly mark methods as critical (and modify the analyser to check for it). * Provide configuration to adjust the verb list or sensitive API patterns.

Possible Messages

Key	Text	Severity	Disabled
missing_authentication	Public critical method is missing authentication/authorization attributes. Protect critical functions with [Authorize] or explicitly mark them [AllowAnonymous] if they are intentionally public.	None	False

Options

• This rule shares the following common options: excludes, includes, justification_checker, post_processing, provider, severity

• The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

• This rule has no individual options.