Add good/bad indicators to tests

joefarebrother · joefarebrother · commit bdaeeeadeeac · 2023-06-22T11:21:30.000+01:00
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MVCTests/MissingAccessControl.expected b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MVCTests/MissingAccessControl.expected
@@ -1 +1 @@
-| ProfileController.cs:7:25:7:31 | Delete1 | This action is missing an authorization check. |
+| ProfileController.cs:8:25:8:31 | Delete1 | This action is missing an authorization check. |
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MVCTests/ProfileController.cs b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MVCTests/ProfileController.cs
@@ -4,11 +4,13 @@ public class ProfileController : Controller {
     private void doThings() { }
     private bool isAuthorized() { return false; }
 
+    // BAD: This is a Delete method, but no auth is specified.
     public ActionResult Delete1(int id) {
         doThings();
         return View();
     }
 
+    // GOOD: isAuthorized is checked.
     public ActionResult Delete2(int id) {
         if (!isAuthorized()) {
             return null;
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/MissingAccessControl.expected b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/MissingAccessControl.expected
@@ -1,3 +1,3 @@
-| Test1/EditProfile.aspx.cs:9:20:9:29 | btn1_Click | This action is missing an authorization check. |
-| Test1/ViewProfile.aspx.cs:12:20:12:36 | btn_delete1_Click | This action is missing an authorization check. |
-| Test3/B/EditProfile.aspx.cs:7:20:7:29 | btn1_Click | This action is missing an authorization check. |
+| Test1/EditProfile.aspx.cs:10:20:10:29 | btn1_Click | This action is missing an authorization check. |
+| Test1/ViewProfile.aspx.cs:14:20:14:36 | btn_delete1_Click | This action is missing an authorization check. |
+| Test3/B/EditProfile.aspx.cs:8:20:8:29 | btn1_Click | This action is missing an authorization check. |
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test1/EditProfile.aspx.cs b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test1/EditProfile.aspx.cs
@@ -6,10 +6,12 @@ private void doThings() { }
 
     private bool isAuthorized() { return false; }
 
+    // BAD: The class name indicates that this may be an Edit method, but there is no auth check
     protected void btn1_Click(object sender, EventArgs e) {
         doThings();
     }
 
+    // GOOD: There is a call to isAuthorized
     protected void btn2_Click(object sender, EventArgs e) {
         if (isAuthorized()) {
             doThings();
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test1/ViewProfile.aspx.cs b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test1/ViewProfile.aspx.cs
@@ -5,14 +5,17 @@
 class ViewProfile : System.Web.UI.Page {
     private void doThings() { }
 
+    // GOOD: This method and class name do not indicate a sensitive method.
     protected void btn_safe_Click(object sender, EventArgs e) {
         doThings();
     }
 
+    // BAD: The name indicates a Delete method, but no auth is present.
     protected void btn_delete1_Click(object sender, EventArgs e) {
         doThings();
     }
 
+    // GOOD: User.IsInRole is checked.
     protected void btn_delete2_Click(object sender, EventArgs e) {
         if (User.IsInRole("admin")) {
             doThings();
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test2/EditProfile.aspx.cs b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test2/EditProfile.aspx.cs
@@ -4,6 +4,7 @@
 class EditProfile2 : System.Web.UI.Page {
     private void doThings() { }
 
+    // GOOD: The Web.config file specifies auth for this path.
     protected void btn1_Click(object sender, EventArgs e) {
         doThings();
     }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test3/A/EditProfile.aspx.cs b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test3/A/EditProfile.aspx.cs
@@ -4,6 +4,7 @@
 class EditProfile3 : System.Web.UI.Page {
     private void doThings() { }
 
+    // GOOD: This is covered by the Web.config's location tag referring to A
     protected void btn1_Click(object sender, EventArgs e) {
         doThings();
     }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test3/B/EditProfile.aspx.cs b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test3/B/EditProfile.aspx.cs
@@ -4,6 +4,7 @@
 class EditProfile4 : System.Web.UI.Page {
     private void doThings() { }
 
+    // BAD: The Web.config file does not specify auth for this path.
     protected void btn1_Click(object sender, EventArgs e) {
         doThings();
     }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test3/C/EditProfile.aspx.cs b/csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/WebFormsTests/Test3/C/EditProfile.aspx.cs
@@ -4,6 +4,7 @@
 class EditProfile5 : System.Web.UI.Page {
     private void doThings() { }
 
+    // GOOD: The Web.config file specifies auth for the path Virtual, which is mapped to C in Global.asax
     protected void btn1_Click(object sender, EventArgs e) {
         doThings();
     }

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-\| ProfileController.cs:7:25:7:31 \| Delete1 \| This action is missing an authorization check. \|`
	`1`	`+\| ProfileController.cs:8:25:8:31 \| Delete1 \| This action is missing an authorization check. \|`
Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@`
`4`	`4`	`class EditProfile2 : System.Web.UI.Page {`
`5`	`5`	`private void doThings() { }`
`6`	`6`
	`7`	`+ // GOOD: The Web.config file specifies auth for this path.`
`7`	`8`	`protected void btn1_Click(object sender, EventArgs e) {`
`8`	`9`	`doThings();`
`9`	`10`	`}`
Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@`
`4`	`4`	`class EditProfile3 : System.Web.UI.Page {`
`5`	`5`	`private void doThings() { }`
`6`	`6`
	`7`	`+ // GOOD: This is covered by the Web.config's location tag referring to A`
`7`	`8`	`protected void btn1_Click(object sender, EventArgs e) {`
`8`	`9`	`doThings();`
`9`	`10`	`}`
Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@`
`4`	`4`	`class EditProfile4 : System.Web.UI.Page {`
`5`	`5`	`private void doThings() { }`
`6`	`6`
	`7`	`+ // BAD: The Web.config file does not specify auth for this path.`
`7`	`8`	`protected void btn1_Click(object sender, EventArgs e) {`
`8`	`9`	`doThings();`
`9`	`10`	`}`
Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@`
`4`	`4`	`class EditProfile5 : System.Web.UI.Page {`
`5`	`5`	`private void doThings() { }`
`6`	`6`
	`7`	`+ // GOOD: The Web.config file specifies auth for the path Virtual, which is mapped to C in Global.asax`
`7`	`8`	`protected void btn1_Click(object sender, EventArgs e) {`
`8`	`9`	`doThings();`
`9`	`10`	`}`