Add an additional example and additional test cases for authorize attribute cases

joefarebrother · joefarebrother · commit 4497e2219520 · 2023-09-20T04:13:34.000+01:00
diff --git a/csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.qhelp b/csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.qhelp
@@ -18,16 +18,17 @@ Ensure that the current user is authorized to access the resource of the provide
 <p>In the following example, in the case marked BAD, there is no authorization check, so any user is able to edit any comment.
 In the case marked GOOD, there is a check that the current usr matches the author of the comment.</p>
 <sample src="WebFormsExample.cs" />
-<p>The following example shows a similar case for the ASP.NET Core framework.</p>
+<p>The following example shows a similar case for the ASP.NET Core framework. In the third case, the `Authorize` attribute is used
+to restrict the method to only administrators, which are expected to be able to access arbitrary resources. 
+</p>
 <sample src="MVCExample.cs" />
 
-
 </example>
 <references>
 
   <li>OWASP - <a href="https://wiki.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References">Insecure Direct Object Refrences</a>.</li>
   <li>OWASP - <a href="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References">Testing for Insecure Direct Object References</a>.</li>
-  <li>Microsoft Learn = <a href="https://learn.microsoft.com/en-us/aspnet/core/security/authorization/resourcebased?view=aspnetcore-7.0">Resource-based authorization in ASP.NET Core</a>.</li>
+  <li>Microsoft Learn - <a href="https://learn.microsoft.com/en-us/aspnet/core/security/authorization/resourcebased?view=aspnetcore-7.0">Resource-based authorization in ASP.NET Core</a>.</li>
 
 </references>
 </qhelp>
diff --git a/csharp/ql/src/Security Features/CWE-639/MVCExample.cs b/csharp/ql/src/Security Features/CWE-639/MVCExample.cs
@@ -32,4 +32,14 @@ public async Task<IActionResult> Edit2(int commentId, string text) {
             return ForbidResult();
         }
     }
+
+    // GOOD: Only users with the `admin` role can access this method.
+    [Authorize(Roles="admin")]
+    public async Task<IActionResult> Edit3(int commentId, string text) {
+        Comment comment = _commentRepository.Find(commentId);
+        
+        comment.Text = text;
+
+        return View();
+    }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/InsecureDirectObjectReference.expected b/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/InsecureDirectObjectReference.expected
@@ -1,3 +1,6 @@
 | CommentController.cs:6:25:6:29 | Edit1 | This method may be missing authorization checks for which users can access the resource of the provided ID. |
 | CommentController.cs:29:25:29:29 | Edit4 | This method may be missing authorization checks for which users can access the resource of the provided ID. |
+| MiscTestControllers.cs:26:33:26:40 | EditAnon | This method may be missing authorization checks for which users can access the resource of the provided ID. |
+| MiscTestControllers.cs:34:34:34:41 | EditAnon | This method may be missing authorization checks for which users can access the resource of the provided ID. |
+| MiscTestControllers.cs:45:25:45:29 | Edit4 | This method may be missing authorization checks for which users can access the resource of the provided ID. |
 | ProfileController.cs:14:25:14:29 | Edit2 | This method may be missing authorization checks for which users can access the resource of the provided ID. |
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/MiscTestControllers.cs b/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/MiscTestControllers.cs
@@ -0,0 +1,46 @@
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Authorization;
+
+public class BaseController : Controller {
+    // GOOD
+    [Authorize]
+    public virtual ActionResult Edit1(int id) { return View(); }
+}
+
+class MyAuthorizeAttribute : AuthorizeAttribute { }
+class MyAllowAnonymousAttribute : AllowAnonymousAttribute { }
+
+public class AController : BaseController {
+    // GOOD - Authorize is inherited from overridden method
+    public override ActionResult Edit1(int id) { return View(); }
+
+    // GOOD - A subclass of Authorize is used
+    [MyAuthorize]
+    public ActionResult Edit2(int id) { return View(); }
+}
+
+[Authorize]
+public class BaseAuthController : Controller {
+    // BAD - A subclass of AllowAnonymous is used
+    [MyAllowAnonymous]
+    public virtual ActionResult EditAnon(int id) { return View(); }
+}
+
+public class BController : BaseAuthController {
+    // GOOD - Authorize is inherited from parent class
+    public ActionResult Edit3(int id) { return View(); }
+
+    // BAD - MyAllowAnonymous is inherited from overridden method
+    public override ActionResult EditAnon(int id) { return View(); }
+}
+
+[AllowAnonymous]
+public class BaseAnonController : Controller {
+
+}
+
+public class CController : BaseAnonController {
+    // BAD - AllowAnonymous is inherited from base class and overrides Authorize
+    [Authorize]
+    public ActionResult Edit4(int id) { return View(); }
+}

Original file line number	Diff line number	Diff line change
`@@ -32,4 +32,14 @@ public async Task<IActionResult> Edit2(int commentId, string text) {`
`32`	`32`	`return ForbidResult();`
`33`	`33`	`}`
`34`	`34`	`}`
	`35`	`+`
	`36`	+ // GOOD: Only users with the `admin` role can access this method.
	`37`	`+ [Authorize(Roles="admin")]`
	`38`	`+ public async Task<IActionResult> Edit3(int commentId, string text) {`
	`39`	`+ Comment comment = _commentRepository.Find(commentId);`
	`40`	`+`
	`41`	`+ comment.Text = text;`
	`42`	`+`
	`43`	`+ return View();`
	`44`	`+ }`
`35`	`45`	`}`