Broaden the scope of checks for authorization attributes

joefarebrother · joefarebrother · commit 9b31b61143d2 · 2023-06-14T16:07:41.000+01:00
diff --git a/csharp/ql/lib/semmle/code/csharp/security/auth/MissingFunctionLevelAccessControlQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/auth/MissingFunctionLevelAccessControlQuery.qll
@@ -166,11 +166,12 @@ predicate hasAuthViaXml(ActionMethod m) {
   )
 }
 
-/** Holds if the given action has an `Authorize` attribute. */
+/** Holds if the given action has an attribute that indications authorization. */
 predicate hasAuthViaAttribute(ActionMethod m) {
-  [m.getAnAttribute(), m.getDeclaringType().getAnAttribute()]
-      .getType()
-      .hasQualifiedName("Microsoft.AspNetCore.Authorization", "AuthorizeAttribute")
+  exists(Attribute attr | attr.getType().getName().toLowerCase().matches("%auth%") |
+    attr = m.getAnAttribute() or
+    attr = m.getDeclaringType().getABaseType*().getAnAttribute()
+  )
 }
 
 /** Holds if `m` is a method that should have an auth check, but is missing it. */

Original file line number	Diff line number	Diff line change
`@@ -166,11 +166,12 @@ predicate hasAuthViaXml(ActionMethod m) {`
`166`	`166`	`)`
`167`	`167`	`}`
`168`	`168`
`169`		-/** Holds if the given action has an `Authorize` attribute. */
	`169`	`+/** Holds if the given action has an attribute that indications authorization. */`
`170`	`170`	`predicate hasAuthViaAttribute(ActionMethod m) {`
`171`		`- [m.getAnAttribute(), m.getDeclaringType().getAnAttribute()]`
`172`		`- .getType()`
`173`		`- .hasQualifiedName("Microsoft.AspNetCore.Authorization", "AuthorizeAttribute")`
	`171`	`+ exists(Attribute attr \| attr.getType().getName().toLowerCase().matches("%auth%") \|`
	`172`	`+ attr = m.getAnAttribute() or`
	`173`	`+ attr = m.getDeclaringType().getABaseType*().getAnAttribute()`
	`174`	`+ )`
`174`	`175`	`}`
`175`	`176`
`176`	`177`	/** Holds if `m` is a method that should have an auth check, but is missing it. */