diff --git a/csharp/ql/src/Security Features/CWE-285/MVC.cs b/csharp/ql/src/Security Features/CWE-285/MVC.cs new file mode 100644 index 00000000000..58575993482 --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-285/MVC.cs @@ -0,0 +1,13 @@ +public class ProfileController : Controller { + + // BAD: No authorization is used. + public ActionResult Edit(int id) { + ... + } + + // GOOD: The `Authorize` tag is used. + [Authorize] + public ActionResult Delete(int id) { + ... + } +} \ No newline at end of file diff --git a/csharp/ql/src/Security Features/CWE-285/MissingAccessControl.qhelp b/csharp/ql/src/Security Features/CWE-285/MissingAccessControl.qhelp new file mode 100644 index 00000000000..36d3142f85e --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-285/MissingAccessControl.qhelp @@ -0,0 +1,54 @@ + + + + +

+Sensitive actions, such as editing or deleting content, or accessing admin pages, should have authentication checks +to ensure that they cannot be used by arbitrary users. +

+ + + + +

+Ensure that proper authorization checks are made for sensitive actions. +For WebForms applications, the authorazation tag in Web.config XML files +can be used to implement access control. The System.Web.UI.Page.User property can also be +used to verify a user's roles. +For MVC applications, the Authorize attribute can be used to require authorization on specific +action methods. +

+ + + + +

+In the following WebForms example, the case marked BAD has no authorization checks; whereas the +case marked GOOD uses User.IsInRole to check for the user's role. +

+ + + +

+The following Web.config file uses the authorization tag to deny access to anonymous users, +in a tag to have it apply to a specific path. +

+ + + +

+In the following MVC example, the case marked BAD has no authorization +checks; whereas the case marked GOOD uses the Authorize attribute. +

+ + + + + +
  • Page.User Property - Microsoft Learn
    • +
  • Control authorization permissions in an ASP.NET application - Microsoft Learn
    • +
  • Simple authorization in ASP.NET Core - Microsoft Learn
    • +     +     diff --git a/csharp/ql/src/Security Features/CWE-285/MissingAccessControl.ql b/csharp/ql/src/Security Features/CWE-285/MissingAccessControl.ql index 5eb62d6ca02..dccb72e01ce 100644 --- a/csharp/ql/src/Security Features/CWE-285/MissingAccessControl.ql +++ b/csharp/ql/src/Security Features/CWE-285/MissingAccessControl.ql @@ -1,6 +1,6 @@ /** * @name Missing function level access control - * @description ... TODO + * @description Sensitive actions should have authorization checks to prevent them from being used by arbitrary users. * @kind problem * @problem.severity warning * @security-severity 7.5 @@ -8,6 +8,8 @@ * @id cs/web/missing-function-level-access-control * @tags security * external/cwe/cwe-285 + * external/cwe/cwe-284 + * external/cwe/cwe-862 */ import csharp diff --git a/csharp/ql/src/Security Features/CWE-285/Web.config b/csharp/ql/src/Security Features/CWE-285/Web.config new file mode 100644 index 00000000000..8e83c8d38e9 --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-285/Web.config @@ -0,0 +1,11 @@ + + + + + + + + + + + \ No newline at end of file diff --git a/csharp/ql/src/Security Features/CWE-285/WebForms.cs b/csharp/ql/src/Security Features/CWE-285/WebForms.cs new file mode 100644 index 00000000000..49dce6097f1 --- /dev/null +++ b/csharp/ql/src/Security Features/CWE-285/WebForms.cs @@ -0,0 +1,14 @@ +class ProfilePage : System.Web.UI.Page { + // BAD: No authorization is used + protected void btn1_Edit_Click(object sender, EventArgs e) { + ... + } + + // GOOD: `User.IsInRole` checks the current user's role. + protected void btn2_Delete_Click(object sender, EventArgs e) { + if (!User.IsInRole("admin")) { + return; + } + ... + } +} \ No newline at end of file