Add ModelState validation to controller actions to resolve security warnings (#345)

* Initial plan

* Add ModelState.IsValid validation to all controller actions

Co-authored-by: samsmithnz <8389039+samsmithnz@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: samsmithnz <8389039+samsmithnz@users.noreply.github.com>

Author: Copilot

PipelinesToActions/PipelinesToActions.Tests/HomeControllerTests.cs

@@ -0,0 +1,169 @@
+using Microsoft.ApplicationInsights;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.ModelBinding;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.Abstractions;
+using PipelinesToActionsWeb.Controllers;
+using System.ComponentModel.DataAnnotations;
+
+namespace PipelinesToActions.Tests
+{
+    [TestClass]
+    public class HomeControllerTests
+    {
+        private HomeController _controller = null!;
+        private ILogger<HomeController> _logger = null!;
+        private TelemetryClient _telemetryClient = null!;
+
+        [TestInitialize]
+        public void Setup()
+        {
+            _logger = new NullLogger<HomeController>();
+            _telemetryClient = new TelemetryClient();
+            _controller = new HomeController(_logger, _telemetryClient);
+        }
+
+        [TestMethod]
+        public void Index_Get_ReturnsViewWithEmptyModel()
+        {
+            //Arrange
+
+            //Act
+            var result = _controller.Index();
+
+            //Assert
+            Assert.IsNotNull(result);
+            Assert.IsInstanceOfType(result, typeof(ViewResult));
+            var viewResult = (ViewResult)result;
+            Assert.IsNotNull(viewResult.Model);
+        }
+
+        [TestMethod]
+        public void Index_Post_WithValidModel_ProcessesConversion()
+        {
+            //Arrange
+            string testYaml = "trigger:\n- main\n\npool:\n  vmImage: 'ubuntu-latest'\n\nsteps:\n- script: echo Hello world";
+            bool addWorkflowDispatch = false;
+
+            //Act
+            var result = _controller.Index(testYaml, addWorkflowDispatch);
+
+            //Assert
+            Assert.IsNotNull(result);
+            Assert.IsInstanceOfType(result, typeof(ViewResult));
+            var viewResult = (ViewResult)result;
+            Assert.IsNotNull(viewResult.Model);
+        }
+
+        [TestMethod]
+        public void Index_Post_WithInvalidModel_ReturnsEmptyResult()
+        {
+            //Arrange
+            string testYaml = "valid yaml";
+            bool addWorkflowDispatch = false;
+            
+            // Simulate invalid model state
+            _controller.ModelState.AddModelError("TestError", "Test validation error");
+
+            //Act
+            var result = _controller.Index(testYaml, addWorkflowDispatch);
+
+            //Assert
+            Assert.IsNotNull(result);
+            Assert.IsInstanceOfType(result, typeof(ViewResult));
+            var viewResult = (ViewResult)result;
+            Assert.IsNotNull(viewResult.Model);
+            // The model should be an empty ConversionResponse when ModelState is invalid
+        }
+
+        [TestMethod]
+        public void CIExample_WithValidModel_ReturnsView()
+        {
+            //Arrange
+
+            //Act
+            var result = _controller.CIExample();
+
+            //Assert
+            Assert.IsNotNull(result);
+            Assert.IsInstanceOfType(result, typeof(ViewResult));
+        }
+
+        [TestMethod]
+        public void CIExample_WithInvalidModel_RedirectsToIndex()
+        {
+            //Arrange
+            _controller.ModelState.AddModelError("TestError", "Test validation error");
+
+            //Act
+            var result = _controller.CIExample();
+
+            //Assert
+            Assert.IsNotNull(result);
+            Assert.IsInstanceOfType(result, typeof(RedirectToActionResult));
+            var redirectResult = (RedirectToActionResult)result;
+            Assert.AreEqual("Index", redirectResult.ActionName);
+        }
+
+        [TestMethod]
+        public void DotNetFrameworkDesktopExample_WithValidModel_ReturnsView()
+        {
+            //Arrange
+
+            //Act
+            var result = _controller.DotNetFrameworkDesktopExample();
+
+            //Assert
+            Assert.IsNotNull(result);
+            Assert.IsInstanceOfType(result, typeof(ViewResult));
+        }
+
+        [TestMethod]
+        public void DotNetFrameworkDesktopExample_WithInvalidModel_RedirectsToIndex()
+        {
+            //Arrange
+            _controller.ModelState.AddModelError("TestError", "Test validation error");
+
+            //Act
+            var result = _controller.DotNetFrameworkDesktopExample();
+
+            //Assert
+            Assert.IsNotNull(result);
+            Assert.IsInstanceOfType(result, typeof(RedirectToActionResult));
+            var redirectResult = (RedirectToActionResult)result;
+            Assert.AreEqual("Index", redirectResult.ActionName);
+        }
+
+        [TestMethod]
+        public void NodeExample_WithInvalidModel_RedirectsToIndex()
+        {
+            //Arrange
+            _controller.ModelState.AddModelError("TestError", "Test validation error");
+
+            //Act
+            var result = _controller.NodeExample();
+
+            //Assert
+            Assert.IsNotNull(result);
+            Assert.IsInstanceOfType(result, typeof(RedirectToActionResult));
+            var redirectResult = (RedirectToActionResult)result;
+            Assert.AreEqual("Index", redirectResult.ActionName);
+        }
+
+        [TestMethod]
+        public void PythonExample_WithInvalidModel_RedirectsToIndex()
+        {
+            //Arrange
+            _controller.ModelState.AddModelError("TestError", "Test validation error");
+
+            //Act
+            var result = _controller.PythonExample();
+
+            //Assert
+            Assert.IsNotNull(result);
+            Assert.IsInstanceOfType(result, typeof(RedirectToActionResult));
+            var redirectResult = (RedirectToActionResult)result;
+            Assert.AreEqual("Index", redirectResult.ActionName);
+        }
+    }
+}

PipelinesToActions/PipelinesToActions.Tests/PipelinesToActions.Tests.csproj

@@ -12,6 +12,7 @@
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
+    <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="8.0.0" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.8.0" />
     <PackageReference Include="MSTest.TestAdapter" Version="3.1.1" />
     <PackageReference Include="MSTest.TestFramework" Version="3.1.1" />

PipelinesToActions/PipelinesToActions/Controllers/HomeController.cs

@@ -33,6 +33,13 @@ public IActionResult Index()
         [HttpPost]
         public IActionResult Index(string txtAzurePipelinesYAML, bool chkAddWorkflowDispatch)
         {
+            if (!ModelState.IsValid)
+            {
+                // If model state is invalid, return to the form with an empty result
+                ConversionResponse emptyResult = new ConversionResponse();
+                return View(model: (emptyResult, chkAddWorkflowDispatch));
+            }
+
             (ConversionResponse, bool) gitHubResult = ProcessConversion(txtAzurePipelinesYAML, chkAddWorkflowDispatch);
 
             return View(model: gitHubResult);
@@ -116,6 +123,11 @@ public IActionResult Index(string txtAzurePipelinesYAML, bool chkAddWorkflowDisp
         [HttpPost]
         public IActionResult DotNetFrameworkDesktopExample(bool chkAddWorkflowDispatch = false)
         {
+            if (!ModelState.IsValid)
+            {
+                return RedirectToAction(nameof(Index));
+            }
+
             string yaml = Examples.DotNetFrameworkDesktopExample();
             (ConversionResponse, bool) gitHubResult = ProcessConversion(yaml, chkAddWorkflowDispatch);
             return View(viewName: "Index", model: gitHubResult);
@@ -125,6 +137,11 @@ public IActionResult DotNetFrameworkDesktopExample(bool chkAddWorkflowDispatch =
         [HttpPost]
         public IActionResult ASPDotNetFrameworkExample(bool chkAddWorkflowDispatch = false)
         {
+            if (!ModelState.IsValid)
+            {
+                return RedirectToAction(nameof(Index));
+            }
+
             string yaml = Examples.ASPDotNetFrameworkExample();
             (ConversionResponse, bool) gitHubResult = ProcessConversion(yaml, chkAddWorkflowDispatch);
             return View(viewName: "Index", model: gitHubResult);
@@ -134,6 +151,11 @@ public IActionResult ASPDotNetFrameworkExample(bool chkAddWorkflowDispatch = fal
         [HttpPost]
         public IActionResult NodeExample(bool chkAddWorkflowDispatch = false)
         {
+            if (!ModelState.IsValid)
+            {
+                return RedirectToAction(nameof(Index));
+            }
+
             string yaml = Examples.NodeExample();
             (ConversionResponse, bool) gitHubResult = ProcessConversion(yaml, chkAddWorkflowDispatch);
             return View(viewName: "Index", model: gitHubResult);
@@ -143,6 +165,11 @@ public IActionResult NodeExample(bool chkAddWorkflowDispatch = false)
         [HttpPost]
         public IActionResult CIExample(bool chkAddWorkflowDispatch = false)
         {
+            if (!ModelState.IsValid)
+            {
+                return RedirectToAction(nameof(Index));
+            }
+
             string yaml = Examples.CIExample();
             (ConversionResponse, bool) gitHubResult = ProcessConversion(yaml, chkAddWorkflowDispatch);
             return View(viewName: "Index", model: gitHubResult);
@@ -152,6 +179,11 @@ public IActionResult CIExample(bool chkAddWorkflowDispatch = false)
         [HttpPost]
         public IActionResult CDExample(bool chkAddWorkflowDispatch = false)
         {
+            if (!ModelState.IsValid)
+            {
+                return RedirectToAction(nameof(Index));
+            }
+
             string yaml = Examples.CDExample();
             (ConversionResponse, bool) gitHubResult = ProcessConversion(yaml, chkAddWorkflowDispatch);
             return View(viewName: "Index", model: gitHubResult);
@@ -161,6 +193,11 @@ public IActionResult CDExample(bool chkAddWorkflowDispatch = false)
         [HttpPost]
         public IActionResult CICDExample(bool chkAddWorkflowDispatch = false)
         {
+            if (!ModelState.IsValid)
+            {
+                return RedirectToAction(nameof(Index));
+            }
+
             string yaml = Examples.CICDExample();
             (ConversionResponse, bool) gitHubResult = ProcessConversion(yaml, chkAddWorkflowDispatch);
             return View(viewName: "Index", model: gitHubResult);
@@ -170,6 +207,11 @@ public IActionResult CICDExample(bool chkAddWorkflowDispatch = false)
         [HttpPost]
         public IActionResult DockerExample(bool chkAddWorkflowDispatch = false)
         {
+            if (!ModelState.IsValid)
+            {
+                return RedirectToAction(nameof(Index));
+            }
+
             string yaml = Examples.DockerExample();
             (ConversionResponse, bool) gitHubResult = ProcessConversion(yaml, chkAddWorkflowDispatch);
             return View(viewName: "Index", model: gitHubResult);
@@ -179,6 +221,11 @@ public IActionResult DockerExample(bool chkAddWorkflowDispatch = false)
         [HttpPost]
         public IActionResult AntExample(bool chkAddWorkflowDispatch = false)
         {
+            if (!ModelState.IsValid)
+            {
+                return RedirectToAction(nameof(Index));
+            }
+
             string yaml = Examples.AntExample();
             (ConversionResponse, bool) gitHubResult = ProcessConversion(yaml, chkAddWorkflowDispatch);
             return View(viewName: "Index", model: gitHubResult);
@@ -188,6 +235,11 @@ public IActionResult AntExample(bool chkAddWorkflowDispatch = false)
         [HttpPost]
         public IActionResult GradleExample(bool chkAddWorkflowDispatch = false)
         {
+            if (!ModelState.IsValid)
+            {
+                return RedirectToAction(nameof(Index));
+            }
+
             string yaml = Examples.GradleExample();
             (ConversionResponse, bool) gitHubResult = ProcessConversion(yaml, chkAddWorkflowDispatch);
             return View(viewName: "Index", model: gitHubResult);
@@ -197,6 +249,11 @@ public IActionResult GradleExample(bool chkAddWorkflowDispatch = false)
         [HttpPost]
         public IActionResult MavenExample(bool chkAddWorkflowDispatch = false)
         {
+            if (!ModelState.IsValid)
+            {
+                return RedirectToAction(nameof(Index));
+            }
+
             string yaml = Examples.MavenExample();
             (ConversionResponse, bool) gitHubResult = ProcessConversion(yaml, chkAddWorkflowDispatch);
             return View(viewName: "Index", model: gitHubResult);
@@ -206,6 +263,11 @@ public IActionResult MavenExample(bool chkAddWorkflowDispatch = false)
         [HttpPost]
         public IActionResult PythonExample(bool chkAddWorkflowDispatch = false)
         {
+            if (!ModelState.IsValid)
+            {
+                return RedirectToAction(nameof(Index));
+            }
+
             string yaml = Examples.PythonExample();
             (ConversionResponse, bool) gitHubResult = ProcessConversion(yaml, chkAddWorkflowDispatch);
             return View(viewName: "Index", model: gitHubResult);
@@ -215,6 +277,11 @@ public IActionResult PythonExample(bool chkAddWorkflowDispatch = false)
         [HttpPost]
         public IActionResult RubyExample(bool chkAddWorkflowDispatch = false)
         {
+            if (!ModelState.IsValid)
+            {
+                return RedirectToAction(nameof(Index));
+            }
+
             string yaml = Examples.RubyExample();
             (ConversionResponse, bool) gitHubResult = ProcessConversion(yaml, chkAddWorkflowDispatch);
             return View(viewName: "Index", model: gitHubResult);