hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Apply doc review suggestions

Browse Source
This commit is contained in:
Joe Farebrother
2023-07-05 15:37:48 +01:00
parent c419e8d24a
commit a53bf4ddd7
3 changed files with 12 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
csharp/ql/src/Security Features/CWE-285/MVC.cs
View File

@@ -5,7 +5,7 @@ public class ProfileController : Controller {
...
}
// GOOD: The `Authorize` tag is used.
// GOOD: The `Authorize` attribute is used.
[Authorize]
public ActionResult Delete(int id) {
...

20
csharp/ql/src/Security Features/CWE-285/MissingAccessControl.qhelp
View File

@@ -5,8 +5,8 @@
<overview>
<p>
Sensitive actions, such as editing or deleting content, or accessing admin pages, should have authentication checks
to ensure that they cannot be used by arbitrary users.
Sensitive actions, such as editing or deleting content, or accessing admin pages, should have authorization checks
to ensure that they cannot be used by malicious actors.
</p>
</overview>
@@ -14,9 +14,9 @@ to ensure that they cannot be used by arbitrary users.
<p>
Ensure that proper authorization checks are made for sensitive actions.
For WebForms applications, the <code>authorazation</code> tag in <code>Web.config</code> XML files
For WebForms applications, the <code>authorization</code> tag in <code>Web.config</code> XML files
can be used to implement access control. The <code>System.Web.UI.Page.User</code> property can also be
used to verify a user's roles.
used to verify a user's role.
For MVC applications, the <code>Authorize</code> attribute can be used to require authorization on specific
action methods.
</p>
@@ -25,7 +25,7 @@ action methods.
<example>
<p>
In the following WebForms example, the case marked BAD has no authorization checks; whereas the
In the following WebForms example, the case marked BAD has no authorization checks whereas the
case marked GOOD uses <code>User.IsInRole</code> to check for the user's role.
</p>
@@ -33,22 +33,22 @@ case marked GOOD uses <code>User.IsInRole</code> to check for the user's role.
<p>
The following <code>Web.config</code> file uses the <code>authorization</code> tag to deny access to anonymous users,
in a <code>location</code>> tag to have it apply to a specific path.
in a <code>location</code> tag to have that configuration apply to a specific path.
</p>
<sample src="Web.config" />
<p>
In the following MVC example, the case marked BAD has no authorization
checks; whereas the case marked GOOD uses the <code>Authorize</code> attribute.
checks whereas the case marked GOOD uses the <code>Authorize</code> attribute.
</p>
<sample src="MVC.cs" />
</example>
<references>
<li><code>Page.User</code> Property - <a href="https://learn.microsoft.com/en-us/dotnet/api/system.web.ui.page.user?view=netframework-4.8.1#system-web-ui-page-user">Microsoft Learn</a></li>
<li>Control authorization permissions in an ASP.NET application - <a href="https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/aspnet/www-authentication-authorization/authorization-permissions">Microsoft Learn</a></li>
<li>Simple authorization in ASP.NET Core - <a href="https://learn.microsoft.com/en-us/aspnet/core/security/authorization/simple?view=aspnetcore-7.0">Microsoft Learn</a></li>
<li><code>Page.User</code> Property - <a href="https://learn.microsoft.com/en-us/dotnet/api/system.web.ui.page.user?view=netframework-4.8.1#system-web-ui-page-user">Microsoft Learn</a>.</li>
<li>Control authorization permissions in an ASP.NET application - <a href="https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/aspnet/www-authentication-authorization/authorization-permissions">Microsoft Learn</a>.</li>
<li>Simple authorization in ASP.NET Core - <a href="https://learn.microsoft.com/en-us/aspnet/core/security/authorization/simple?view=aspnetcore-7.0">Microsoft Learn</a>.</li>
</references>
</qhelp>

2
csharp/ql/src/Security Features/CWE-285/MissingAccessControl.ql
View File

@@ -1,6 +1,6 @@
/**
* @name Missing function level access control
* @description Sensitive actions should have authorization checks to prevent them from being used by arbitrary users.
* @description Sensitive actions should have authorization checks to prevent them from being used by malicious actors.
* @kind problem
* @problem.severity warning
* @security-severity 7.5