Check for authorize attributes in more namespaces and on overridden methods

2025-12-24 04:36:35 +01:00 · 2023-09-14 16:15:45 +01:00
parent 6a95ed64ff
commit a2dce6be14
1 changed files with 9 additions and 5 deletions
--- a/csharp/ql/lib/semmle/code/csharp/security/auth/InsecureDirectObjectReferenceQuery.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/auth/InsecureDirectObjectReferenceQuery.qll
@@ -44,9 +44,11 @@ private predicate hasAuthorizeAttribute(ActionMethod m) {
  exists(Attribute attr |
    attr.getType()
        .getABaseType*()
-        .hasQualifiedName("Microsoft.AspNetCore.Authorization", "AuthorizeAttribute")
+        .hasQualifiedName([
+            "Microsoft.AspNetCore.Authorization", "System.Web.Mvc", "System.Web.Http"
+          ], "AuthorizeAttribute")
  |
-    attr = m.getAnAttribute() or
+    attr = m.getOverridee*().getAnAttribute() or
    attr = m.getDeclaringType().getABaseType*().getAnAttribute()
  )
 }
@@ -56,14 +58,16 @@ private predicate hasAllowAnonymousAttribute(ActionMethod m) {
  exists(Attribute attr |
    attr.getType()
        .getABaseType*()
-        .hasQualifiedName("Microsoft.AspNetCore.Authorization", "AllowAnonymousAttribute")
+        .hasQualifiedName([
+            "Microsoft.AspNetCore.Authorization", "System.Web.Mvc", "System.Web.Http"
+          ], "AllowAnonymousAttribute")
  |
-    attr = m.getAnAttribute() or
+    attr = m.getOverridee*().getAnAttribute() or
    attr = m.getDeclaringType().getABaseType*().getAnAttribute()
  )
 }

-/** Hols if `m` is authorized via an `Authorize` attribute */
+/** Holds if `m` is authorized via an `Authorize` attribute */
 private predicate isAuthorizedViaAttribute(ActionMethod m) {
  hasAuthorizeAttribute(m) and
  not hasAllowAnonymousAttribute(m)