Add test cases for webforms auth via web.config files

2025-12-24 04:36:35 +01:00 · 2023-06-08 16:51:41 +01:00
parent 1b6e7f9140
commit 1500089b86
11 changed files with 116 additions and 4 deletions
--- a/csharp/ql/lib/semmle/code/csharp/security/auth/MissingFunctionLevelAccessControlQuery.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/auth/MissingFunctionLevelAccessControlQuery.qll
@@ -122,7 +122,7 @@ predicate hasAuthViaCode(ActionMethod m) {
  )
 }

-/** An `<authorization>` XML element that */
+/** An `<authorization>` XML element. */
 class AuthorizationXmlElement extends XmlElement {
  AuthorizationXmlElement() {
    this.getParent() instanceof SystemWebXmlElement and
--- a/Features/CWE-285/MissingAccessControl/MissingAccessControl.expected
+++ b/Features/CWE-285/MissingAccessControl/MissingAccessControl.expected
@@ -1,2 +1,3 @@
 | Test1/EditProfile.aspx.cs:9:20:9:29 | btn1_Click | This action is missing an authorization check. |
-| Test1/ViewProfile.aspx.cs:14:20:14:36 | btn_delete1_Click | This action is missing an authorization check. |
+| Test1/ViewProfile.aspx.cs:12:20:12:36 | btn_delete1_Click | This action is missing an authorization check. |
+| Test3/B/EditProfile.aspx.cs:7:20:7:29 | btn1_Click | This action is missing an authorization check. |
--- a/Features/CWE-285/MissingAccessControl/Test1/ViewProfile.aspx.cs
+++ b/Features/CWE-285/MissingAccessControl/Test1/ViewProfile.aspx.cs
@@ -5,8 +5,6 @@ using System.Web.Security;
 class ViewProfile : System.Web.UI.Page {
    private void doThings() { }

-    public System.Security.Principal.IPrincipal User { get; } // TODO: this should be in the stubs
-
    protected void btn_safe_Click(object sender, EventArgs e) {
        doThings();
    }
--- a/Features/CWE-285/MissingAccessControl/Test2/EditProfile.aspx.cs
+++ b/Features/CWE-285/MissingAccessControl/Test2/EditProfile.aspx.cs
@@ -0,0 +1,10 @@
+using System;
+using System.Web.UI;
+
+class EditProfile2 : System.Web.UI.Page {
+    private void doThings() { }
+
+    protected void btn1_Click(object sender, EventArgs e) {
+        doThings();
+    }
+} 
--- a/Features/CWE-285/MissingAccessControl/Test2/Web.config
+++ b/Features/CWE-285/MissingAccessControl/Test2/Web.config
@@ -0,0 +1,12 @@
+<?xml version="1.0"?>
+
+<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
+ 
+  <system.web>
+
+      <authorization>
+        <deny users="?" />
+      </authorization>
+
+  </system.web>
+</configuration>
--- a/Features/CWE-285/MissingAccessControl/Test3/A/EditProfile.aspx.cs
+++ b/Features/CWE-285/MissingAccessControl/Test3/A/EditProfile.aspx.cs
@@ -0,0 +1,10 @@
+using System;
+using System.Web.UI;
+
+class EditProfile3 : System.Web.UI.Page {
+    private void doThings() { }
+
+    protected void btn1_Click(object sender, EventArgs e) {
+        doThings();
+    }
+} 
--- a/Features/CWE-285/MissingAccessControl/Test3/B/EditProfile.aspx.cs
+++ b/Features/CWE-285/MissingAccessControl/Test3/B/EditProfile.aspx.cs
@@ -0,0 +1,10 @@
+using System;
+using System.Web.UI;
+
+class EditProfile4 : System.Web.UI.Page {
+    private void doThings() { }
+
+    protected void btn1_Click(object sender, EventArgs e) {
+        doThings();
+    }
+} 
--- a/Features/CWE-285/MissingAccessControl/Test3/C/EditProfile.aspx.cs
+++ b/Features/CWE-285/MissingAccessControl/Test3/C/EditProfile.aspx.cs
@@ -0,0 +1,10 @@
+using System;
+using System.Web.UI;
+
+class EditProfile5 : System.Web.UI.Page {
+    private void doThings() { }
+
+    protected void btn1_Click(object sender, EventArgs e) {
+        doThings();
+    }
+} 
--- a/Features/CWE-285/MissingAccessControl/Test3/Global.asax.cs
+++ b/Features/CWE-285/MissingAccessControl/Test3/Global.asax.cs
@@ -0,0 +1,26 @@
+using System;
+using System.Web;
+using System.Web.Routing;
+
+public class Global : System.Web.HttpApplication {
+
+    void Application_Start(object sender, EventArgs e) {
+        RegisterRoutes(RouteTable.Routes);
+    }
+
+    void Application_End(object sender, EventArgs e) { }
+
+    void Application_Error(object sender, EventArgs e) { }
+
+    void Session_Start(object sender, EventArgs e) { }
+
+    void Session_End(object sender, EventArgs e) { }
+
+    static void RegisterRoutes(RouteCollection routes) {
+        routes.MapPageRoute("VirtualEditProfile",
+            "Virtual/Edit",
+            "~/C/EditProfile.aspx",
+            false
+            );
+    }
+}
--- a/Features/CWE-285/MissingAccessControl/Test3/Web.config
+++ b/Features/CWE-285/MissingAccessControl/Test3/Web.config
@@ -0,0 +1,19 @@
+<?xml version="1.0"?>
+
+<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
+ 
+  <location path="A">
+    <system.web>
+      <authorization>
+        <deny users="?" />
+      </authorization>
+    </system.web>
+  </location>
+  <location path="Virtual">
+    <system.web>
+      <authorization>
+        <deny users="?" />
+      </authorization>
+    </system.web>
+  </location>
+</configuration>
--- a/csharp/ql/test/resources/stubs/System.Web.cs
+++ b/csharp/ql/test/resources/stubs/System.Web.cs
@@ -48,6 +48,8 @@ namespace System.Web
    public class HttpApplication : IHttpHandler
    {
        public HttpServerUtility Server { get; }
+
+        public Routing.RouteTable RouteTable { get; }
    }
 }

@@ -79,6 +81,7 @@ namespace System.Web.UI

    public class Page
    {
+        public System.Security.Principal.IPrincipal User { get; } 
    }

    interface IPostBackDataHandler
@@ -300,6 +303,19 @@ namespace System.Web.Routing
    public class RequestContext
    {
    }
+
+    public class Route 
+    {
+    }
+
+    public class RouteTable {
+        public RouteCollection Routes { get; }
+    }
+
+    public class RouteCollection 
+    {
+        public Route MapPageRoute(string routeName, string routeUrl, string physicalFile, bool checkPhysicalUrlAccess) { return null; }
+    }
 }

 namespace System.Web.Security