Add test cases for webforms auth via web.config files

joefarebrother · joefarebrother · commit 1500089b864b · 2023-06-14T16:07:41.000+01:00
diff --git a/csharp/ql/lib/semmle/code/csharp/security/auth/MissingFunctionLevelAccessControlQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/auth/MissingFunctionLevelAccessControlQuery.qll
@@ -122,7 +122,7 @@ predicate hasAuthViaCode(ActionMethod m) {
   )
 }
 
-/** An `<authorization>` XML element that */
+/** An `<authorization>` XML element. */
 class AuthorizationXmlElement extends XmlElement {
   AuthorizationXmlElement() {
     this.getParent() instanceof SystemWebXmlElement and
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MissingAccessControl.expected b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MissingAccessControl.expected
@@ -1,2 +1,3 @@
 | Test1/EditProfile.aspx.cs:9:20:9:29 | btn1_Click | This action is missing an authorization check. |
-| Test1/ViewProfile.aspx.cs:14:20:14:36 | btn_delete1_Click | This action is missing an authorization check. |
+| Test1/ViewProfile.aspx.cs:12:20:12:36 | btn_delete1_Click | This action is missing an authorization check. |
+| Test3/B/EditProfile.aspx.cs:7:20:7:29 | btn1_Click | This action is missing an authorization check. |
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/Test1/ViewProfile.aspx.cs b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/Test1/ViewProfile.aspx.cs
@@ -5,8 +5,6 @@
 class ViewProfile : System.Web.UI.Page {
     private void doThings() { }
 
-    public System.Security.Principal.IPrincipal User { get; } // TODO: this should be in the stubs
-
     protected void btn_safe_Click(object sender, EventArgs e) {
         doThings();
     }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/Test2/EditProfile.aspx.cs b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/Test2/EditProfile.aspx.cs
@@ -0,0 +1,10 @@
+using System;
+using System.Web.UI;
+
+class EditProfile2 : System.Web.UI.Page {
+    private void doThings() { }
+
+    protected void btn1_Click(object sender, EventArgs e) {
+        doThings();
+    }
+} 
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/Test2/Web.config b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/Test2/Web.config
@@ -0,0 +1,12 @@
+<?xml version="1.0"?>
+
+<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
+ 
+  <system.web>
+
+      <authorization>
+        <deny users="?" />
+      </authorization>
+
+  </system.web>
+</configuration>
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/Test3/A/EditProfile.aspx.cs b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/Test3/A/EditProfile.aspx.cs
@@ -0,0 +1,10 @@
+using System;
+using System.Web.UI;
+
+class EditProfile3 : System.Web.UI.Page {
+    private void doThings() { }
+
+    protected void btn1_Click(object sender, EventArgs e) {
+        doThings();
+    }
+} 
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/Test3/B/EditProfile.aspx.cs b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/Test3/B/EditProfile.aspx.cs
@@ -0,0 +1,10 @@
+using System;
+using System.Web.UI;
+
+class EditProfile4 : System.Web.UI.Page {
+    private void doThings() { }
+
+    protected void btn1_Click(object sender, EventArgs e) {
+        doThings();
+    }
+} 
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/Test3/C/EditProfile.aspx.cs b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/Test3/C/EditProfile.aspx.cs
@@ -0,0 +1,10 @@
+using System;
+using System.Web.UI;
+
+class EditProfile5 : System.Web.UI.Page {
+    private void doThings() { }
+
+    protected void btn1_Click(object sender, EventArgs e) {
+        doThings();
+    }
+} 
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/Test3/Global.asax.cs b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/Test3/Global.asax.cs
@@ -0,0 +1,26 @@
+using System;
+using System.Web;
+using System.Web.Routing;
+
+public class Global : System.Web.HttpApplication {
+
+    void Application_Start(object sender, EventArgs e) {
+        RegisterRoutes(RouteTable.Routes);
+    }
+
+    void Application_End(object sender, EventArgs e) { }
+
+    void Application_Error(object sender, EventArgs e) { }
+
+    void Session_Start(object sender, EventArgs e) { }
+
+    void Session_End(object sender, EventArgs e) { }
+
+    static void RegisterRoutes(RouteCollection routes) {
+        routes.MapPageRoute("VirtualEditProfile",
+            "Virtual/Edit",
+            "~/C/EditProfile.aspx",
+            false
+            );
+    }
+}
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/Test3/Web.config b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/Test3/Web.config
@@ -0,0 +1,19 @@
+<?xml version="1.0"?>
+
+<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
+ 
+  <location path="A">
+    <system.web>
+      <authorization>
+        <deny users="?" />
+      </authorization>
+    </system.web>
+  </location>
+  <location path="Virtual">
+    <system.web>
+      <authorization>
+        <deny users="?" />
+      </authorization>
+    </system.web>
+  </location>
+</configuration>
diff --git a/csharp/ql/test/resources/stubs/System.Web.cs b/csharp/ql/test/resources/stubs/System.Web.cs
@@ -48,6 +48,8 @@ public void Transfer(string path) { }
     public class HttpApplication : IHttpHandler
     {
         public HttpServerUtility Server { get; }
+
+        public Routing.RouteTable RouteTable { get; }
     }
 }
 
@@ -79,6 +81,7 @@ public class Control
 
     public class Page
     {
+        public System.Security.Principal.IPrincipal User { get; } 
     }
 
     interface IPostBackDataHandler
@@ -300,6 +303,19 @@ namespace System.Web.Routing
     public class RequestContext
     {
     }
+
+    public class Route 
+    {
+    }
+
+    public class RouteTable {
+        public RouteCollection Routes { get; }
+    }
+
+    public class RouteCollection 
+    {
+        public Route MapPageRoute(string routeName, string routeUrl, string physicalFile, bool checkPhysicalUrlAccess) { return null; }
+    }
 }
 
 namespace System.Web.Security

Original file line number	Diff line number	Diff line change
`@@ -122,7 +122,7 @@ predicate hasAuthViaCode(ActionMethod m) {`
`122`	`122`	`)`
`123`	`123`	`}`
`124`	`124`
`125`		-/** An `<authorization>` XML element that */
	`125`	+/** An `<authorization>` XML element. */
`126`	`126`	`class AuthorizationXmlElement extends XmlElement {`
`127`	`127`	`AuthorizationXmlElement() {`
`128`	`128`	`this.getParent() instanceof SystemWebXmlElement and`
Original file line number	Diff line number	Diff line change
`@@ -5,8 +5,6 @@`
`5`	`5`	`class ViewProfile : System.Web.UI.Page {`
`6`	`6`	`private void doThings() { }`
`7`	`7`
`8`		`- public System.Security.Principal.IPrincipal User { get; } // TODO: this should be in the stubs`
`9`		`-`
`10`	`8`	`protected void btn_safe_Click(object sender, EventArgs e) {`
`11`	`9`	`doThings();`
`12`	`10`	`}`