Add tests for webforms case

Author: joefarebrother

csharp/ql/test/query-tests/Security Features/CWE-639/WebFormsTests/EditComment.aspx.cs

@@ -0,0 +1,28 @@
+using System;
+using System.Web.UI;
+
+class EditComment : System.Web.UI.Page {
+    
+    // BAD - Any user can access this method.
+    protected void btn1_Click(object sender, EventArgs e) {
+        string commentId = Request.QueryString["Id"];
+        Comment comment = getCommentById(commentId);
+        comment.Text = "xyz";
+    }
+
+    // GOOD - The user ID is verified.
+    protected void btn2_Click(object sender, EventArgs e) {
+        string commentId = Request.QueryString["Id"];
+        Comment comment = getCommentById(commentId);
+        if (comment.AuthorName == User.Identity.Name){
+            comment.Text = "xyz";
+        }
+    }
+
+    class Comment {
+        public string Text { get; set; }
+        public string AuthorName { get; }
+    }
+
+    Comment getCommentById(string id) { return null; }
+} 

csharp/ql/test/query-tests/Security Features/CWE-639/WebFormsTests/InsecureDirectObjectReference.expected

@@ -0,0 +1 @@
+| EditComment.aspx.cs:7:20:7:29 | btn1_Click | This method may not verify which users should be able to access resources of the provided ID. |

csharp/ql/test/query-tests/Security Features/CWE-639/WebFormsTests/InsecureDirectObjectReference.qlref

@@ -0,0 +1 @@
+Security Features/CWE-639/InsecureDirectObjectReference.ql

csharp/ql/test/query-tests/Security Features/CWE-639/WebFormsTests/options

@@ -0,0 +1 @@
+semmle-extractor-options: /r:System.Collections.Specialized.dll ${testdir}/../../../../resources/stubs/System.Web.cs

csharp/ql/test/resources/stubs/System.Web.cs

@@ -82,6 +82,7 @@ public class Control
     public class Page
     {
         public System.Security.Principal.IPrincipal User { get; } 
+        public System.Web.HttpRequest Request { get; }
     }
 
     interface IPostBackDataHandler