Fix S6967 FP: controller without model

Question

Fix S6967 FP: controller without model

Opened this issue 4 months ago · 2 comments

Description

S6967 reports an error for a controller that does not use any model.

Repro steps

This controller accepts a boolean in the parameters. I think it does not make sense to validate the model state in these cases.
This happens also with controllers accepting integers or strings in the parameters.

[HttpGet(Constants.Controllers.Home.Routes.SessionError)]
[ActionName(Constants.Controllers.Home.Actions.SessionError)]
[AllowAnonymous]
public virtual IActionResult SessionErrorView(bool signedIn)
{
    SessionRefreshViewModel model = new SessionRefreshViewModel()
    {
        SignedIn = signedIn
    };

    return this.PartialView(Constants.Views.ShellViews.SessionError, model);
}

Expected behavior

This controller action should not trigger the rule error.

Actual behavior

See above.

Known workarounds

None.

Related information

SonarAnalyzer.CSharp version 9.25.0.90414
Visual Studio 17.9.6
.NET 8.0.204
Windows 10

Answer 1 · 2024-05-21T12:19:06.000Z

Hi @hugoqribeiro. Thank you for reporting the issue.
I don't consider this a False Positive for a bool type argument. Even though the Controller doesn't have a complex Model type as an input, the client can still pass something invalid.
e.g. .../SessionError?signedIn=HELLO
This input will result in ModelState.IsValid being set to false in the Action method.
Similarly, you can pass an invalid value for an integer as well (something that's out of range or not a number).
Now a string input is a different question: I don't know if the client can pass anything invalid (maybe mess up the encoding?). I'll check if I can turn ModelState.IsValid to false in any way with a string input. If not, then an exception will be added to the rule.

Answer 2 · 2024-06-24T05:58:53.000Z

In my opinion, string, object, and dynamic types should be ignored for Controller Action method parameters and Model properties.