C#-CWE-862

The product does not perform an authorization check when an actor attempts to access a resource or perform an action

Required inputs: CSharpAST

This rule detects missing authorization and misconfigured authentication/authorization middleware in ASP.NET Core applications. It checks for two main issues: 1. Middleware misconfiguration: - `UseAuthentication()` should be called before `UseAuthorization()`. - `UseAuthorization()` should be called before mapping any endpoints (e.g., `MapControllers`, `MapGet`). 2. Controller action attribute check: - Public controller methods must have `[Authorize]` to protect them, or `[AllowAnonymous]` if they are intentionally open. Example of correct middleware configuration in C# (Program.cs or Startup.cs):

app.UseAuthentication();
app.UseAuthorization();
app.MapControllers();

Example of a safe controller action in C#:

[Authorize]
public IActionResult GetSecretData()
{
    return Ok("Protected content");
}

[AllowAnonymous]
public IActionResult GetPublicData()
{
    return Ok("Public content");
}

Possible Messages

Key	Text	Severity	Disabled
missing_authorization	Public controller action is missing explicit authorization attributes. Add [Authorize] to protect it or [AllowAnonymous] to explicitly mark it as open.	None	False
missing_middleware	Authentication/Authorization middleware is not configured correctly. Make sure to call app.UseAuthentication() before app.UseAuthorization(), and app.UseAuthorization() before mapping endpoints (e.g. MapControllers).	None	False

Options

• This rule shares the following common options: excludes, includes, justification_checker, post_processing, provider, severity

• The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

• This rule has no individual options.