Add MVC tests

csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/CommentController.cs

@@ -0,0 +1,22 @@
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Authorization;
+
+public class CommentController : Controller {
+    // BAD: Any user can access this.
+    public ActionResult Edit1(int commentId, string text) {
+        editComment(commentId, text);
+        return View();
+    }
+
+    // GOOD: The user's authorization is checked.
+    public ActionResult Edit2(int commentId, string text) {
+        if (canEditComment(commentId, User.Identity.Name)){
+            editComment(commentId, text);
+        }
+        return View();
+    }
+
+    void editComment(int commentId, string text) { }
+
+    bool canEditComment(int commentId, string userName) { return false; }
+}

csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/InsecureDirectObjectReference.expected

@@ -0,0 +1 @@
+| CommentController.cs:6:25:6:29 | Edit1 | This method may not verify which users should be able to access resources of the provided ID. |

csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/InsecureDirectObjectReference.qlref

@@ -0,0 +1 @@
+Security Features/CWE-639/InsecureDirectObjectReference.ql

csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/options

@@ -0,0 +1,3 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj