hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add an additional example and additional test cases for authorize attribute cases

Browse Source
This commit is contained in:
Joe Farebrother
2023-09-20 04:10:51 +01:00
parent 475fe3a2a5
commit 4497e22195
4 changed files with 63 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.qhelp
View File

@@ -18,16 +18,17 @@ Ensure that the current user is authorized to access the resource of the provide
<p>In the following example, in the case marked BAD, there is no authorization check, so any user is able to edit any comment.
In the case marked GOOD, there is a check that the current usr matches the author of the comment.</p>
<sample src="WebFormsExample.cs" />
<p>The following example shows a similar case for the ASP.NET Core framework.</p>
<p>The following example shows a similar case for the ASP.NET Core framework. In the third case, the `Authorize` attribute is used
to restrict the method to only administrators, which are expected to be able to access arbitrary resources.
</p>
<sample src="MVCExample.cs" />
</example>
<references>
<li>OWASP - <a href="https://wiki.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References">Insecure Direct Object Refrences</a>.</li>
<li>OWASP - <a href="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References">Testing for Insecure Direct Object References</a>.</li>
<li>Microsoft Learn = <a href="https://learn.microsoft.com/en-us/aspnet/core/security/authorization/resourcebased?view=aspnetcore-7.0">Resource-based authorization in ASP.NET Core</a>.</li>
<li>Microsoft Learn - <a href="https://learn.microsoft.com/en-us/aspnet/core/security/authorization/resourcebased?view=aspnetcore-7.0">Resource-based authorization in ASP.NET Core</a>.</li>
</references>
</qhelp>

10
csharp/ql/src/Security Features/CWE-639/MVCExample.cs
View File

@@ -32,4 +32,14 @@ public class CommentController : Controller {
return ForbidResult();
}
}
// GOOD: Only users with the `admin` role can access this method.
[Authorize(Roles="admin")]
public async Task<IActionResult> Edit3(int commentId, string text) {
Comment comment = _commentRepository.Find(commentId);
comment.Text = text;
return View();
}
}