diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MVCTests/MissingAccessControl.expected b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MVCTests/MissingAccessControl.expected index f6d983c8f77..1ad8d1cdeb5 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MVCTests/MissingAccessControl.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MVCTests/MissingAccessControl.expected @@ -1 +1 @@ -| ProfileController.cs:7:25:7:31 | Delete1 | This action is missing an authorization check. | +| ProfileController.cs:8:25:8:31 | Delete1 | This action is missing an authorization check. | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MVCTests/ProfileController.cs b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MVCTests/ProfileController.cs index 7ecd6323b97..d2ed864f4c7 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MVCTests/ProfileController.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MVCTests/ProfileController.cs @@ -4,11 +4,13 @@ public class ProfileController : Controller { private void doThings() { } private bool isAuthorized() { return false; } + // BAD: This is a Delete method, but no auth is specified. public ActionResult Delete1(int id) { doThings(); return View(); } + // GOOD: isAuthorized is checked. public ActionResult Delete2(int id) { if (!isAuthorized()) { return null; diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/MissingAccessControl.expected b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/MissingAccessControl.expected index ccac820134b..5c0df701d81 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/MissingAccessControl.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/MissingAccessControl.expected @@ -1,3 +1,3 @@ -| Test1/EditProfile.aspx.cs:9:20:9:29 | btn1_Click | This action is missing an authorization check. | -| Test1/ViewProfile.aspx.cs:12:20:12:36 | btn_delete1_Click | This action is missing an authorization check. | -| Test3/B/EditProfile.aspx.cs:7:20:7:29 | btn1_Click | This action is missing an authorization check. | +| Test1/EditProfile.aspx.cs:10:20:10:29 | btn1_Click | This action is missing an authorization check. | +| Test1/ViewProfile.aspx.cs:14:20:14:36 | btn_delete1_Click | This action is missing an authorization check. | +| Test3/B/EditProfile.aspx.cs:8:20:8:29 | btn1_Click | This action is missing an authorization check. | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test1/EditProfile.aspx.cs b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test1/EditProfile.aspx.cs index 9ca2efe5bee..b023dc11e80 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test1/EditProfile.aspx.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test1/EditProfile.aspx.cs @@ -6,10 +6,12 @@ class EditProfile : System.Web.UI.Page { private bool isAuthorized() { return false; } + // BAD: The class name indicates that this may be an Edit method, but there is no auth check protected void btn1_Click(object sender, EventArgs e) { doThings(); } + // GOOD: There is a call to isAuthorized protected void btn2_Click(object sender, EventArgs e) { if (isAuthorized()) { doThings(); diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test1/ViewProfile.aspx.cs b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test1/ViewProfile.aspx.cs index fc04d551eec..f9d7316d50b 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test1/ViewProfile.aspx.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test1/ViewProfile.aspx.cs @@ -5,14 +5,17 @@ using System.Web.Security; class ViewProfile : System.Web.UI.Page { private void doThings() { } + // GOOD: This method and class name do not indicate a sensitive method. protected void btn_safe_Click(object sender, EventArgs e) { doThings(); } + // BAD: The name indicates a Delete method, but no auth is present. protected void btn_delete1_Click(object sender, EventArgs e) { doThings(); } + // GOOD: User.IsInRole is checked. protected void btn_delete2_Click(object sender, EventArgs e) { if (User.IsInRole("admin")) { doThings(); diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test2/EditProfile.aspx.cs b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test2/EditProfile.aspx.cs index f14c39078cd..0d0b2b7b864 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test2/EditProfile.aspx.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test2/EditProfile.aspx.cs @@ -4,6 +4,7 @@ using System.Web.UI; class EditProfile2 : System.Web.UI.Page { private void doThings() { } + // GOOD: The Web.config file specifies auth for this path. protected void btn1_Click(object sender, EventArgs e) { doThings(); } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test3/A/EditProfile.aspx.cs b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test3/A/EditProfile.aspx.cs index 6f66d66e653..4f5025a4a51 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test3/A/EditProfile.aspx.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test3/A/EditProfile.aspx.cs @@ -4,6 +4,7 @@ using System.Web.UI; class EditProfile3 : System.Web.UI.Page { private void doThings() { } + // GOOD: This is covered by the Web.config's location tag referring to A protected void btn1_Click(object sender, EventArgs e) { doThings(); } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test3/B/EditProfile.aspx.cs b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test3/B/EditProfile.aspx.cs index 3e1e189d06e..4b7697f0f88 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test3/B/EditProfile.aspx.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test3/B/EditProfile.aspx.cs @@ -4,6 +4,7 @@ using System.Web.UI; class EditProfile4 : System.Web.UI.Page { private void doThings() { } + // BAD: The Web.config file does not specify auth for this path. protected void btn1_Click(object sender, EventArgs e) { doThings(); } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test3/C/EditProfile.aspx.cs b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test3/C/EditProfile.aspx.cs index 81d2a1f0d8b..a8ad0654689 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test3/C/EditProfile.aspx.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test3/C/EditProfile.aspx.cs @@ -4,6 +4,7 @@ using System.Web.UI; class EditProfile5 : System.Web.UI.Page { private void doThings() { } + // GOOD: The Web.config file specifies auth for the path Virtual, which is mapped to C in Global.asax protected void btn1_Click(object sender, EventArgs e) { doThings(); }