Add an additional example and additional test cases for authorize attribute cases

2025-12-22 11:46:32 +01:00 · 2023-09-20 04:10:51 +01:00
parent 475fe3a2a5
commit 4497e22195
4 changed files with 63 additions and 3 deletions
--- a/Features/CWE-639/InsecureDirectObjectReference.qhelp
+++ b/Features/CWE-639/InsecureDirectObjectReference.qhelp
@@ -18,16 +18,17 @@ Ensure that the current user is authorized to access the resource of the provide
 <p>In the following example, in the case marked BAD, there is no authorization check, so any user is able to edit any comment.
 In the case marked GOOD, there is a check that the current usr matches the author of the comment.</p>
 <sample src="WebFormsExample.cs" />
-<p>The following example shows a similar case for the ASP.NET Core framework.</p>
+<p>The following example shows a similar case for the ASP.NET Core framework. In the third case, the `Authorize` attribute is used
+to restrict the method to only administrators, which are expected to be able to access arbitrary resources. 
+</p>
 <sample src="MVCExample.cs" />

-
 </example>
 <references>

  <li>OWASP - <a href="https://wiki.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References">Insecure Direct Object Refrences</a>.</li>
  <li>OWASP - <a href="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References">Testing for Insecure Direct Object References</a>.</li>
-  <li>Microsoft Learn = <a href="https://learn.microsoft.com/en-us/aspnet/core/security/authorization/resourcebased?view=aspnetcore-7.0">Resource-based authorization in ASP.NET Core</a>.</li>
+  <li>Microsoft Learn - <a href="https://learn.microsoft.com/en-us/aspnet/core/security/authorization/resourcebased?view=aspnetcore-7.0">Resource-based authorization in ASP.NET Core</a>.</li>

 </references>
 </qhelp>
--- a/Features/CWE-639/MVCExample.cs
+++ b/Features/CWE-639/MVCExample.cs
@@ -32,4 +32,14 @@ public class CommentController : Controller {
            return ForbidResult();
        }
    }
+
+    // GOOD: Only users with the `admin` role can access this method.
+    [Authorize(Roles="admin")]
+    public async Task<IActionResult> Edit3(int commentId, string text) {
+        Comment comment = _commentRepository.Find(commentId);
+        
+        comment.Text = text;
+
+        return View();
+    }
 }
--- a/Features/CWE-639/MVCTests/InsecureDirectObjectReference.expected
+++ b/Features/CWE-639/MVCTests/InsecureDirectObjectReference.expected
@@ -1,3 +1,6 @@
 | CommentController.cs:6:25:6:29 | Edit1 | This method may be missing authorization checks for which users can access the resource of the provided ID. |
 | CommentController.cs:29:25:29:29 | Edit4 | This method may be missing authorization checks for which users can access the resource of the provided ID. |
+| MiscTestControllers.cs:26:33:26:40 | EditAnon | This method may be missing authorization checks for which users can access the resource of the provided ID. |
+| MiscTestControllers.cs:34:34:34:41 | EditAnon | This method may be missing authorization checks for which users can access the resource of the provided ID. |
+| MiscTestControllers.cs:45:25:45:29 | Edit4 | This method may be missing authorization checks for which users can access the resource of the provided ID. |
 | ProfileController.cs:14:25:14:29 | Edit2 | This method may be missing authorization checks for which users can access the resource of the provided ID. |
--- a/Features/CWE-639/MVCTests/MiscTestControllers.cs
+++ b/Features/CWE-639/MVCTests/MiscTestControllers.cs
@@ -0,0 +1,46 @@
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Authorization;
+
+public class BaseController : Controller {
+    // GOOD
+    [Authorize]
+    public virtual ActionResult Edit1(int id) { return View(); }
+}
+
+class MyAuthorizeAttribute : AuthorizeAttribute { }
+class MyAllowAnonymousAttribute : AllowAnonymousAttribute { }
+
+public class AController : BaseController {
+    // GOOD - Authorize is inherited from overridden method
+    public override ActionResult Edit1(int id) { return View(); }
+
+    // GOOD - A subclass of Authorize is used
+    [MyAuthorize]
+    public ActionResult Edit2(int id) { return View(); }
+}
+
+[Authorize]
+public class BaseAuthController : Controller {
+    // BAD - A subclass of AllowAnonymous is used
+    [MyAllowAnonymous]
+    public virtual ActionResult EditAnon(int id) { return View(); }
+}
+
+public class BController : BaseAuthController {
+    // GOOD - Authorize is inherited from parent class
+    public ActionResult Edit3(int id) { return View(); }
+
+    // BAD - MyAllowAnonymous is inherited from overridden method
+    public override ActionResult EditAnon(int id) { return View(); }
+}
+
+[AllowAnonymous]
+public class BaseAnonController : Controller {
+
+}
+
+public class CController : BaseAnonController {
+    // BAD - AllowAnonymous is inherited from base class and overrides Authorize
+    [Authorize]
+    public ActionResult Edit4(int id) { return View(); }
+}