Add documentation

Author: joefarebrother

csharp/ql/src/Security Features/CWE-285/MVC.cs

@@ -0,0 +1,13 @@
+public class ProfileController : Controller {
+
+    // BAD: No authorization is used.
+    public ActionResult Edit(int id) {
+        ...
+    }
+
+    // GOOD: The `Authorize` tag is used.
+    [Authorize]
+    public ActionResult Delete(int id) {
+        ...
+    }
+}

csharp/ql/src/Security Features/CWE-285/MissingAccessControl.qhelp

@@ -0,0 +1,54 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Sensitive actions, such as editing or deleting content, or accessing admin pages, should have authentication checks 
+to ensure that they cannot be used by arbitrary users.
+</p>
+
+</overview>
+<recommendation>
+
+<p>
+Ensure that proper authorization checks are made for sensitive actions. 
+For WebForms applications, the <code>authorazation</code> tag in <code>Web.config</code> XML files 
+can be used to implement access control. The <code>System.Web.UI.Page.User</code> property can also be 
+used to verify a user's roles. 
+For MVC applications, the <code>Authorize</code> attribute can be used to require authorization on specific 
+action methods.
+</p>
+
+</recommendation>
+<example>
+
+<p>
+In the following WebForms example, the case marked BAD has no authorization checks; whereas the 
+case marked GOOD uses <code>User.IsInRole</code> to check for the user's role.
+</p>
+
+<sample src="WebForms.cs" />
+
+<p>
+The following <code>Web.config</code> file uses the <code>authorization</code> tag to deny access to anonymous users,
+in a <location> tag to have it apply to a specific path.
+</p>
+
+<sample src="Web.config" />
+
+<p>
+In the following MVC example, the case marked BAD has no authorization
+checks; whereas the case marked GOOD uses the <code>Authorize</code> attribute.
+</p>
+
+<sample src="MVC.cs" />
+
+</example>
+<references>
+<li><code>Page.User</code> Property - <a href="https://learn.microsoft.com/en-us/dotnet/api/system.web.ui.page.user?view=netframework-4.8.1#system-web-ui-page-user">Microsoft Learn</a></li>
+<li>Control authorization permissions in an ASP.NET application - <a href="https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/aspnet/www-authentication-authorization/authorization-permissions">Microsoft Learn</a></li>
+<li>Simple authorization in ASP.NET Core - <a href="https://learn.microsoft.com/en-us/aspnet/core/security/authorization/simple?view=aspnetcore-7.0">Microsoft Learn</a></li>
+</references>
+</qhelp>

csharp/ql/src/Security Features/CWE-285/MissingAccessControl.ql

@@ -1,13 +1,15 @@
 /**
  * @name Missing function level access control
- * @description ... TODO
+ * @description Sensitive actions should have authorization checks to prevent them from being used by arbitrary users.
  * @kind problem
  * @problem.severity warning
  * @security-severity 7.5
  * @precision medium
  * @id cs/web/missing-function-level-access-control
  * @tags security
  *       external/cwe/cwe-285
+ *       external/cwe/cwe-284
+ *       external/cwe/cwe-862
  */
 
 import csharp

csharp/ql/src/Security Features/CWE-285/Web.config

@@ -0,0 +1,11 @@
+<?xml version="1.0"?>
+
+<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
+  <location path="User/Profile">
+    <system.web>
+      <authorization>
+        <deny users="?" />
+      </authorization>
+    </system.web>
+  </location>
+</configuration>

csharp/ql/src/Security Features/CWE-285/WebForms.cs

@@ -0,0 +1,14 @@
+class ProfilePage : System.Web.UI.Page {
+    // BAD: No authorization is used
+    protected void btn1_Edit_Click(object sender, EventArgs e) {
+        ...
+    }
+
+    // GOOD: `User.IsInRole` checks the current user's role.
+    protected void btn2_Delete_Click(object sender, EventArgs e) {
+        if (!User.IsInRole("admin")) {
+            return;
+        }
+        ...
+    }
+}