Add unit tests for webform case with auth in code

joefarebrother · joefarebrother · commit 1b6e7f914017 · 2023-06-14T16:07:41.000+01:00
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MissingAccessControl.expected b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MissingAccessControl.expected
@@ -0,0 +1,2 @@
+| Test1/EditProfile.aspx.cs:9:20:9:29 | btn1_Click | This action is missing an authorization check. |
+| Test1/ViewProfile.aspx.cs:14:20:14:36 | btn_delete1_Click | This action is missing an authorization check. |
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MissingAccessControl.qlref b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MissingAccessControl.qlref
@@ -0,0 +1 @@
+Security Features/CWE-285/MissingAccessControl.ql
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/Test1/EditProfile.aspx.cs b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/Test1/EditProfile.aspx.cs
@@ -0,0 +1,18 @@
+using System;
+using System.Web.UI;
+
+class EditProfile : System.Web.UI.Page {
+    private void doThings() { }
+
+    private bool isAuthorized() { return false; }
+
+    protected void btn1_Click(object sender, EventArgs e) {
+        doThings();
+    }
+
+    protected void btn2_Click(object sender, EventArgs e) {
+        if (isAuthorized()) {
+            doThings();
+        }
+    }
+} 
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/Test1/ViewProfile.aspx.cs b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/Test1/ViewProfile.aspx.cs
@@ -0,0 +1,23 @@
+using System;
+using System.Web.UI;
+using System.Web.Security;
+
+class ViewProfile : System.Web.UI.Page {
+    private void doThings() { }
+
+    public System.Security.Principal.IPrincipal User { get; } // TODO: this should be in the stubs
+
+    protected void btn_safe_Click(object sender, EventArgs e) {
+        doThings();
+    }
+
+    protected void btn_delete1_Click(object sender, EventArgs e) {
+        doThings();
+    }
+
+    protected void btn_delete2_Click(object sender, EventArgs e) {
+        if (User.IsInRole("admin")) {
+            doThings();
+        }
+    }
+} 
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/options b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/options
@@ -0,0 +1 @@
+semmle-extractor-options: /r:System.Runtime.Extensions.dll /r:System.Collections.Specialized.dll ${testdir}/../../../../resources/stubs/System.Web.cs

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+\| Test1/EditProfile.aspx.cs:9:20:9:29 \| btn1_Click \| This action is missing an authorization check. \|`
	`2`	`+\| Test1/ViewProfile.aspx.cs:14:20:14:36 \| btn_delete1_Click \| This action is missing an authorization check. \|`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Security Features/CWE-285/MissingAccessControl.ql`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+semmle-extractor-options: /r:System.Runtime.Extensions.dll /r:System.Collections.Specialized.dll ${testdir}/../../../../resources/stubs/System.Web.cs`