Merge pull request #21243 from hvitved/csharp/insecure-object-tests

C#: Add more tests for `InsecureDirectObjectReference.ql`

csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/CommentController.cs

@@ -1,16 +1,28 @@
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Authorization;
+using System.Threading.Tasks;
+
+public class CommentController : Controller
+{
+    private readonly IAuthorizationService _authorizationService;
+
+    public CommentController(IAuthorizationService authorizationService)
+    {
+        _authorizationService = authorizationService;
+    }
 
-public class CommentController : Controller {
     // BAD: Any user can access this.
-    public ActionResult Edit1(int commentId, string text) {
+    public ActionResult Edit1(int commentId, string text)
+    {
         editComment(commentId, text);
         return View();
     }
 
     // GOOD: The user's authorization is checked.
-    public ActionResult Edit2(int commentId, string text) {
-        if (canEditComment(commentId, User.Identity.Name)){
+    public ActionResult Edit2(int commentId, string text)
+    {
+        if (canEditComment(commentId, User.Identity.Name))
+        {
             editComment(commentId, text);
         }
         return View();
@@ -18,7 +30,8 @@ public class CommentController : Controller {
 
     // GOOD: The Authorize attribute is used
     [Authorize]
-    public ActionResult Edit3(int commentId, string text) {
+    public ActionResult Edit3(int commentId, string text)
+    {
         editComment(commentId, text);
         return View();
     }
@@ -26,7 +39,29 @@ public class CommentController : Controller {
     // BAD: The AllowAnonymous attribute overrides the Authorize attribute
     [Authorize]
     [AllowAnonymous]
-    public ActionResult Edit4(int commentId, string text) {
+    public ActionResult Edit4(int commentId, string text)
+    {
+        editComment(commentId, text);
+        return View();
+    }
+
+    // GOOD: An authorization check is made.
+    public async Task<IActionResult> Edit5(int commentId, string text)
+    {
+        var authResult = await _authorizationService.AuthorizeAsync(User, "Comment", "EditPolicy");
+
+        if (authResult.Succeeded)
+        {
+            editComment(commentId, text);
+            return View();
+        }
+        return Forbid();
+    }
+
+    // GOOD: Only users with the `admin` role can access this method.
+    [Authorize(Roles = "admin")]
+    public async Task<IActionResult> Edit6(int commentId, string text)
+    {
         editComment(commentId, text);
         return View();
     }

csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/InsecureDirectObjectReference.expected

@@ -1,5 +1,5 @@
-| CommentController.cs:6:25:6:29 | Edit1 | This method may be missing authorization checks for which users can access the resource of the provided ID. |
-| CommentController.cs:29:25:29:29 | Edit4 | This method may be missing authorization checks for which users can access the resource of the provided ID. |
+| CommentController.cs:15:25:15:29 | Edit1 | This method may be missing authorization checks for which users can access the resource of the provided ID. |
+| CommentController.cs:42:25:42:29 | Edit4 | This method may be missing authorization checks for which users can access the resource of the provided ID. |
 | MiscTestControllers.cs:26:33:26:40 | EditAnon | This method may be missing authorization checks for which users can access the resource of the provided ID. |
 | MiscTestControllers.cs:34:34:34:41 | EditAnon | This method may be missing authorization checks for which users can access the resource of the provided ID. |
 | MiscTestControllers.cs:45:25:45:29 | Edit4 | This method may be missing authorization checks for which users can access the resource of the provided ID. |