Skip to content

Commit 2e7e276

Browse files
michaelnebelmichaelnebel
committed
C#: Add test case for authorization attribute that extends Authorize.
1 parent 8d57167 commit 2e7e276

File tree

2 files changed

+14
-1
lines changed

2 files changed

+14
-1
lines changed

csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MVCTests/MissingAccessControl.expected

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1,5 @@
1-
| ProfileController.cs:10:25:10:31 | Delete1 | This action is missing an authorization check. |
1+
#select
2+
| ProfileController.cs:12:25:12:31 | Delete1 | This action is missing an authorization check. |
3+
| ProfileController.cs:39:25:39:31 | Delete4 | This action is missing an authorization check. |
4+
testFailures
5+
| ProfileController.cs:39:25:39:31 | This action is missing an authorization check. | Unexpected result: Alert |

csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MVCTests/ProfileController.cs

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
using Microsoft.AspNetCore.Mvc;
22
using Microsoft.AspNetCore.Authorization;
33

4+
public class RequirePermissionAttribute : AuthorizeAttribute { }
5+
46
public class ProfileController : Controller
57
{
68
private void doThings() { }
@@ -32,6 +34,13 @@ public ActionResult Delete3(int id)
3234
return View();
3335
}
3436

37+
// GOOD: The RequirePermission attribute is used (which extends AuthorizeAttribute).
38+
[RequirePermission]
39+
public ActionResult Delete4(int id)
40+
{
41+
doThings();
42+
return View();
43+
}
3544
}
3645

3746
[Authorize]

0 commit comments

Comments
 (0)