Add MVC tests

This commit is contained in:
Joe Farebrother
2023-08-17 15:51:48 +01:00
parent 20d42dfd7d
commit 009a7bfc87
4 changed files with 27 additions and 0 deletions

View File

@@ -0,0 +1,22 @@
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Authorization;
public class CommentController : Controller {
// BAD: Any user can access this.
public ActionResult Edit1(int commentId, string text) {
editComment(commentId, text);
return View();
}
// GOOD: The user's authorization is checked.
public ActionResult Edit2(int commentId, string text) {
if (canEditComment(commentId, User.Identity.Name)){
editComment(commentId, text);
}
return View();
}
void editComment(int commentId, string text) { }
bool canEditComment(int commentId, string userName) { return false; }
}

View File

@@ -0,0 +1 @@
| CommentController.cs:6:25:6:29 | Edit1 | This method may not verify which users should be able to access resources of the provided ID. |

View File

@@ -0,0 +1 @@
Security Features/CWE-639/InsecureDirectObjectReference.ql

View File

@@ -0,0 +1,3 @@
semmle-extractor-options: /nostdlib /noconfig
semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj