hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add test cases for authorization from attributes

Browse Source
This commit is contained in:
Joe Farebrother
2023-09-13 16:05:01 +01:00
parent ac45050545
commit 6a95ed64ff
3 changed files with 37 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/CommentController.cs
View File

@@ -16,6 +16,21 @@ public class CommentController : Controller {
return View();
}
// GOOD: The Authorize attribute is used
[Authorize]
public ActionResult Edit3(int commentId, string text) {
editComment(commentId, text);
return View();
}
// BAD: The AllowAnonymous attribute overrides the Authorize attribute
[Authorize]
[AllowAnonymous]
public ActionResult Edit4(int commentId, string text) {
editComment(commentId, text);
return View();
}
void editComment(int commentId, string text) { }
bool canEditComment(int commentId, string userName) { return false; }

2
csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/InsecureDirectObjectReference.expected
View File

@@ -1 +1,3 @@
| CommentController.cs:6:25:6:29 | Edit1 | This method may be missing authorization checks for which users can access the resource of the provided ID. |
| CommentController.cs:29:25:29:29 | Edit4 | This method may be missing authorization checks for which users can access the resource of the provided ID. |
| ProfileController.cs:14:25:14:29 | Edit2 | This method may be missing authorization checks for which users can access the resource of the provided ID. |

20
csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/ProfileController.cs Normal file
View File

@@ -0,0 +1,20 @@
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Authorization;
[Authorize]
public class ProfileController : Controller {
// GOOD: The Authorize attribute of the class restricts access to this method.
public ActionResult Edit1(int profileId, string text) {
editProfileName(profileId, text);
return View();
}
// BAD: The AllowAnonymous attribute therides the Authorize attribute on the class.
[AllowAnonymous]
public ActionResult Edit2(int profileId, string text) {
editProfileName(profileId, text);
return View();
}
void editProfileName(int profileId, string text) { }
}