C#: Consider an attribute to be authorization like, if it extends an attribute that has an authorization like name.

michaelnebel · michaelnebel · commit c15d1ab3bdd9 · 2025-04-14T14:25:31.000+02:00
diff --git a/csharp/ql/lib/semmle/code/csharp/security/auth/MissingFunctionLevelAccessControlQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/auth/MissingFunctionLevelAccessControlQuery.qll
@@ -81,7 +81,7 @@ predicate hasAuthViaXml(ActionMethod m) {
 
 /** Holds if the given action has an attribute that indications authorization. */
 predicate hasAuthViaAttribute(ActionMethod m) {
-  exists(Attribute attr | attr.getType().getName().toLowerCase().matches("%auth%") |
+  exists(Attribute attr | attr.getType().getABaseType*().getName().toLowerCase().matches("%auth%") |
     attr = m.getOverridee*().getAnAttribute() or
     attr = getAnUnboundBaseType*(m.getDeclaringType()).getAnAttribute()
   )

Original file line number	Diff line number	Diff line change
`@@ -81,7 +81,7 @@ predicate hasAuthViaXml(ActionMethod m) {`
`81`	`81`
`82`	`82`	`/** Holds if the given action has an attribute that indications authorization. */`
`83`	`83`	`predicate hasAuthViaAttribute(ActionMethod m) {`
`84`		`- exists(Attribute attr \| attr.getType().getName().toLowerCase().matches("%auth%") \|`
	`84`	`+ exists(Attribute attr \| attr.getType().getABaseType*().getName().toLowerCase().matches("%auth%") \|`
`85`	`85`	`attr = m.getOverridee*().getAnAttribute() or`
`86`	`86`	`attr = getAnUnboundBaseType*(m.getDeclaringType()).getAnAttribute()`
`87`	`87`	`)`