hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 12:15:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update alert message and make user checks more precise

Browse Source
This commit is contained in:
Joe Farebrother
2023-08-17 17:22:43 +01:00
parent 009a7bfc87
commit f8b1b38438
4 changed files with 8 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
csharp/ql/lib/semmle/code/csharp/security/auth/InsecureDirectObjectReferenceQuery.qll
View File

@@ -22,6 +22,7 @@ private predicate hasIdParameter(ActionMethod m) {
exists(RemoteFlowSource src | src.getEnclosingCallable() = m |
src.asParameter().getName().toLowerCase().matches(["%id", "%idx"])
or
// handle cases like `Request.QueryString["Id"]`
exists(StringLiteral idStr |
idStr.getValue().toLowerCase().matches(["%id", "%idx"]) and
getParentExpr*(src.asExpr()) = getParentExpr*(idStr)
@@ -31,8 +32,10 @@ private predicate hasIdParameter(ActionMethod m) {
/** Holds if `m` at some point in its call graph may make some kind of check against the current user. */
private predicate checksUser(ActionMethod m) {
exists(Property p | p.getName().toLowerCase().matches(["%user%", "%session%"]) |
m.calls*(p.getGetter())
exists(Callable c, string name | name = c.getName().toLowerCase() |
name.matches(["%user%", "%session%"]) and
not name.matches("%get%by%") and // methods like `getUserById` or `getXByUsername` aren't likely to be referring to the current user
m.calls*(c)
)
}