[CodeQL] Suppress CSRF token validation warnings (#9278)

advay26 · web-flow · commit 0d1b0158ffbe · 2022-10-14T12:04:02.000-07:00
* Added CSRF token checks to address CodeQL bugs

* Added CodeQL suppressions
diff --git a/src/NuGetGallery/Controllers/ApiController.cs b/src/NuGetGallery/Controllers/ApiController.cs
@@ -331,6 +331,7 @@ public virtual ActionResult SimulateError(SimulatedErrorType type = SimulatedErr
         [ApiScopeRequired(NuGetScopes.PackagePush, NuGetScopes.PackagePushVersion)]
         [ActionName("CreatePackageVerificationKey")]
         public virtual async Task<ActionResult> CreatePackageVerificationKeyAsync(string id, string version)
+        // CodeQL [SM00433] This endpoint uses API Key authentication
         {
             // For backwards compatibility, we must preserve existing behavior where the client always pushes
             // symbols and the VerifyPackageKey callback returns the appropriate response. For this reason, we
@@ -427,6 +428,7 @@ public virtual Task<ActionResult> CreatePackagePut()
         [ApiScopeRequired(NuGetScopes.PackagePush, NuGetScopes.PackagePushVersion)]
         [ActionName("PushPackageApi")]
         public virtual Task<ActionResult> CreatePackagePost()
+        // CodeQL [SM00433] This endpoint uses API Key authentication
         {
             return CreatePackageInternal();
         }
@@ -948,6 +950,7 @@ await PackageDeleteService.SoftDeletePackagesAsync(
         [ApiScopeRequired(NuGetScopes.PackageUnlist)]
         [ActionName("PublishPackageApi")]
         public virtual async Task<ActionResult> PublishPackage(string id, string version)
+        // CodeQL [SM00433] This endpoint uses API Key authentication
         {
             var package = PackageService.FindPackageByIdAndVersionStrict(id, version);
             if (package == null)

Original file line number	Diff line number	Diff line change
`@@ -331,6 +331,7 @@ public virtual ActionResult SimulateError(SimulatedErrorType type = SimulatedErr`
`331`	`331`	`[ApiScopeRequired(NuGetScopes.PackagePush, NuGetScopes.PackagePushVersion)]`
`332`	`332`	`[ActionName("CreatePackageVerificationKey")]`
`333`	`333`	`public virtual async Task<ActionResult> CreatePackageVerificationKeyAsync(string id, string version)`
	`334`	`+ // CodeQL [SM00433] This endpoint uses API Key authentication`
`334`	`335`	`{`
`335`	`336`	`// For backwards compatibility, we must preserve existing behavior where the client always pushes`
`336`	`337`	`// symbols and the VerifyPackageKey callback returns the appropriate response. For this reason, we`
`@@ -427,6 +428,7 @@ public virtual Task<ActionResult> CreatePackagePut()`
`427`	`428`	`[ApiScopeRequired(NuGetScopes.PackagePush, NuGetScopes.PackagePushVersion)]`
`428`	`429`	`[ActionName("PushPackageApi")]`
`429`	`430`	`public virtual Task<ActionResult> CreatePackagePost()`
	`431`	`+ // CodeQL [SM00433] This endpoint uses API Key authentication`
`430`	`432`	`{`
`431`	`433`	`return CreatePackageInternal();`
`432`	`434`	`}`
`@@ -948,6 +950,7 @@ await PackageDeleteService.SoftDeletePackagesAsync(`
`948`	`950`	`[ApiScopeRequired(NuGetScopes.PackageUnlist)]`
`949`	`951`	`[ActionName("PublishPackageApi")]`
`950`	`952`	`public virtual async Task<ActionResult> PublishPackage(string id, string version)`
	`953`	`+ // CodeQL [SM00433] This endpoint uses API Key authentication`
`951`	`954`	`{`
`952`	`955`	`var package = PackageService.FindPackageByIdAndVersionStrict(id, version);`
`953`	`956`	`if (package == null)`