mirror of
https://github.com/github/codeql.git
synced 2025-12-16 16:53:25 +01:00
Add good/bad indicators to tests
This commit is contained in:
Joe Farebrother
@@ -1 +1 @@
|
||||
| ProfileController.cs:7:25:7:31 | Delete1 | This action is missing an authorization check. |
|
||||
| ProfileController.cs:8:25:8:31 | Delete1 | This action is missing an authorization check. |
|
||||
|
||||
@@ -4,11 +4,13 @@ public class ProfileController : Controller {
|
||||
private void doThings() { }
|
||||
private bool isAuthorized() { return false; }
|
||||
|
||||
// BAD: This is a Delete method, but no auth is specified.
|
||||
public ActionResult Delete1(int id) {
|
||||
doThings();
|
||||
return View();
|
||||
}
|
||||
|
||||
// GOOD: isAuthorized is checked.
|
||||
public ActionResult Delete2(int id) {
|
||||
if (!isAuthorized()) {
|
||||
return null;
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
| Test1/EditProfile.aspx.cs:9:20:9:29 | btn1_Click | This action is missing an authorization check. |
|
||||
| Test1/ViewProfile.aspx.cs:12:20:12:36 | btn_delete1_Click | This action is missing an authorization check. |
|
||||
| Test3/B/EditProfile.aspx.cs:7:20:7:29 | btn1_Click | This action is missing an authorization check. |
|
||||
| Test1/EditProfile.aspx.cs:10:20:10:29 | btn1_Click | This action is missing an authorization check. |
|
||||
| Test1/ViewProfile.aspx.cs:14:20:14:36 | btn_delete1_Click | This action is missing an authorization check. |
|
||||
| Test3/B/EditProfile.aspx.cs:8:20:8:29 | btn1_Click | This action is missing an authorization check. |
|
||||
|
||||
@@ -6,10 +6,12 @@ class EditProfile : System.Web.UI.Page {
|
||||
|
||||
private bool isAuthorized() { return false; }
|
||||
|
||||
// BAD: The class name indicates that this may be an Edit method, but there is no auth check
|
||||
protected void btn1_Click(object sender, EventArgs e) {
|
||||
doThings();
|
||||
}
|
||||
|
||||
// GOOD: There is a call to isAuthorized
|
||||
protected void btn2_Click(object sender, EventArgs e) {
|
||||
if (isAuthorized()) {
|
||||
doThings();
|
||||
|
||||
@@ -5,14 +5,17 @@ using System.Web.Security;
|
||||
class ViewProfile : System.Web.UI.Page {
|
||||
private void doThings() { }
|
||||
|
||||
// GOOD: This method and class name do not indicate a sensitive method.
|
||||
protected void btn_safe_Click(object sender, EventArgs e) {
|
||||
doThings();
|
||||
}
|
||||
|
||||
// BAD: The name indicates a Delete method, but no auth is present.
|
||||
protected void btn_delete1_Click(object sender, EventArgs e) {
|
||||
doThings();
|
||||
}
|
||||
|
||||
// GOOD: User.IsInRole is checked.
|
||||
protected void btn_delete2_Click(object sender, EventArgs e) {
|
||||
if (User.IsInRole("admin")) {
|
||||
doThings();
|
||||
|
||||
@@ -4,6 +4,7 @@ using System.Web.UI;
|
||||
class EditProfile2 : System.Web.UI.Page {
|
||||
private void doThings() { }
|
||||
|
||||
// GOOD: The Web.config file specifies auth for this path.
|
||||
protected void btn1_Click(object sender, EventArgs e) {
|
||||
doThings();
|
||||
}
|
||||
|
||||
@@ -4,6 +4,7 @@ using System.Web.UI;
|
||||
class EditProfile3 : System.Web.UI.Page {
|
||||
private void doThings() { }
|
||||
|
||||
// GOOD: This is covered by the Web.config's location tag referring to A
|
||||
protected void btn1_Click(object sender, EventArgs e) {
|
||||
doThings();
|
||||
}
|
||||
|
||||
@@ -4,6 +4,7 @@ using System.Web.UI;
|
||||
class EditProfile4 : System.Web.UI.Page {
|
||||
private void doThings() { }
|
||||
|
||||
// BAD: The Web.config file does not specify auth for this path.
|
||||
protected void btn1_Click(object sender, EventArgs e) {
|
||||
doThings();
|
||||
}
|
||||
|
||||
@@ -4,6 +4,7 @@ using System.Web.UI;
|
||||
class EditProfile5 : System.Web.UI.Page {
|
||||
private void doThings() { }
|
||||
|
||||
// GOOD: The Web.config file specifies auth for the path Virtual, which is mapped to C in Global.asax
|
||||
protected void btn1_Click(object sender, EventArgs e) {
|
||||
doThings();
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user