Skip to content

Commit 3e6750b

Browse files
joefarebrotherjoefarebrother
committed
Add documentation
1 parent f8b1b38 commit 3e6750b

File tree

2 files changed

+45
-0
lines changed

2 files changed

+45
-0
lines changed

csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.qhelp

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
<!DOCTYPE qhelp PUBLIC
2+
"-//Semmle//qhelp//EN"
3+
"qhelp.dtd">
4+
<qhelp>
5+
<overview>
6+
<p>When an action method accepts an ID parameter used to control which resource (e.g. a comment, a user profile, etc)
7+
is being accessed/modified, checks should me made to ensure that the current user is authorized to access that resource.
8+
Otherwise, an attacker could access an arbitrary resource by modifying the ID parameter.</p>
9+
10+
</overview>
11+
<recommendation>
12+
<p>
13+
Ensure that the current user is authorized to access the resource of the provided ID.
14+
</p>
15+
16+
</recommendation>
17+
<example>
18+
<p>In the following example, in the case marked BAD, there is no authorization check, so any user is able to edit any comment.
19+
In the case marked GOOD, there is a check that the current usr matches the author of the comment.</p>
20+
<sample src="WebFormsExample.cs" />
21+
22+
23+
</example>
24+
<references>
25+
26+
<li>OWASP - <a href="https://wiki.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References">Insecure Direct Object Refrences</a>.</li>
27+
<li>OWASP - <a href="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References">Testing for Insecure Direct Object References</a>.</li>
28+
29+
</references>
30+
</qhelp>

csharp/ql/src/Security Features/CWE-639/WebFormsExample.cs

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
// BAD - Any user can access this method.
2+
protected void btn1_Click(object sender, EventArgs e) {
3+
string commentId = Request.QueryString["Id"];
4+
Comment comment = getCommentById(commentId);
5+
comment.Body = inputCommentBody.Text;
6+
}
7+
8+
// GOOD - The user ID is verified.
9+
protected void btn2_Click(object sender, EventArgs e) {
10+
string commentId = Request.QueryString["Id"];
11+
Comment comment = getCommentById(commentId);
12+
if (comment.AuthorName == User.Identity.Name){
13+
comment.Body = inputCommentBody.Text;
14+
}
15+
}

0 commit comments

Comments
 (0)