Apply minor reveiw suggstions

2026-04-22 23:35:14 +02:00 · 2023-08-24 11:02:21 +01:00
parent 4967fe0b77
commit 9f25c71ca6
2 changed files with 3 additions and 3 deletions
--- a/csharp/ql/lib/semmle/code/csharp/security/auth/InsecureDirectObjectReferenceQuery.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/auth/InsecureDirectObjectReferenceQuery.qll
@@ -12,7 +12,7 @@ import ActionMethods
 // Other queries check that there are authorization checks in place for admin methods.
 private predicate needsChecks(ActionMethod m) { m.isEdit() and not m.isAdmin() }

-private Expr getParentExpr(Expr ex) { result = ex.getParent() }
+private Expr getParentExpr(Expr ex) { result.getAChildExpr() = ex }

 /**
 * Holds if `m` has a parameter or access a remote flow source
@@ -41,7 +41,7 @@ private predicate checksUser(ActionMethod m) {

 /**
 * Holds if `m` is a method that modifies a particular resource based on
- * and ID provided by user input, but does not check anything based on the current user
+ * an ID provided by user input, but does not check anything based on the current user
 * to determine if they should modify this resource.
 */
 predicate hasInsecureDirectObjectReference(ActionMethod m) {
--- a/Features/CWE-639/InsecureDirectObjectReference.qhelp
+++ b/Features/CWE-639/InsecureDirectObjectReference.qhelp
@@ -5,7 +5,7 @@
 <overview>
 <p>When an action method accepts an ID parameter used to control which resource (e.g. a comment, a user profile, etc) 
 is being accessed/modified, checks should me made to ensure that the current user is authorized to access that resource. 
-Otherwise, an attacker could access an arbitrary resource by modifying the ID parameter.</p>
+Otherwise, an attacker could access an arbitrary resource by guessing the ID parameter.</p>

 </overview>
 <recommendation>