Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

C# static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your C# code

Filtered: 11 rules found

asp.net

Impact

Clean code attribute

ModelState.IsValid should be called in controller actions

responsibility - trustworthy

maintainability

reliability

security

Code Smell

MajorSonarSource default severity
click to learn more

In the context of ASP.NET Core MVC web applications, both model binding and model validation are processes that take place prior to the execution of a controller action. It is imperative for the application to examine the ModelState.IsValid and respond accordingly.

This rule enforces the developer to validate the model within a controller action, ensuring the application’s robustness and reliability.

Why is this an issue?

How can I fix it?

More Info

Querying the ModelState.IsValid property is necessary because it checks if the submitted data in the HTTP request is valid or not. This property evaluates all the validation attributes applied on your model properties and determines whether the data provided satisfies those validation rules.

What is the potential impact?

Skipping model validation can lead to:

Data Integrity Issues: Without validation, incorrect or inconsistent data can be saved to your database, leading to potential data corruption or loss.
Security Vulnerabilities: Skipping validation can expose your application to security risks.
Application Errors: Invalid data can lead to unexpected application errors or crashes, which can disrupt the user experience and potentially lead to data loss.
Poor User Experience: Without validation, users may not receive appropriate feedback about any mistakes in the data they have entered, leading to confusion and frustration.
Increased Debugging Time: If invalid data causes issues in your application and was not validatated at the entry point, it can take significantly more time to debug and fix these issues.

Therefore, it’s highly recommended to always validate models in your application to ensure data integrity, application stability, and a good user experience.

While client-side validation enhances user experience by providing immediate feedback, it’s not sufficient due to potential manipulation of client-side code, browser compatibility issues, and dependence on JavaScript. Users can bypass or disable it, leading to invalid or malicious data being submitted. Therefore, server-side validation is essential to ensure data integrity and security, making it a best practice to use both client-side and server-side validation in your application.

Exceptions

Web API controllers don’t have to check ModelState.IsValid if they have the [ApiController] attribute. In that case, an automatic HTTP 400 response containing error details is returned when model state is invalid.
When action filters are used for controller actions, the analyzer will skip the model validation detection to avoid false positives since the model state could be verified by the action filer.
TryValidateModel can also be used for model validation.
The project references a 3rd-party library for validation, e.g. FluentValidation.
The rule will not raise issues if the model, or the model members, are not decorated with validation attributes, or if it does not implement custom validation.

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

In-IDE

SaaS

Self-Hosted