Add test cases for authorization from attributes

joefarebrother · joefarebrother · commit 6a95ed64ff96 · 2023-09-15T10:25:27.000+01:00
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/CommentController.cs b/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/CommentController.cs
@@ -16,6 +16,21 @@ public ActionResult Edit2(int commentId, string text) {
         return View();
     }
 
+    // GOOD: The Authorize attribute is used
+    [Authorize]
+    public ActionResult Edit3(int commentId, string text) {
+        editComment(commentId, text);
+        return View();
+    }
+
+    // BAD: The AllowAnonymous attribute overrides the Authorize attribute
+    [Authorize]
+    [AllowAnonymous]
+    public ActionResult Edit4(int commentId, string text) {
+        editComment(commentId, text);
+        return View();
+    }
+
     void editComment(int commentId, string text) { }
 
     bool canEditComment(int commentId, string userName) { return false; }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/InsecureDirectObjectReference.expected b/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/InsecureDirectObjectReference.expected
@@ -1 +1,3 @@
 | CommentController.cs:6:25:6:29 | Edit1 | This method may be missing authorization checks for which users can access the resource of the provided ID. |
+| CommentController.cs:29:25:29:29 | Edit4 | This method may be missing authorization checks for which users can access the resource of the provided ID. |
+| ProfileController.cs:14:25:14:29 | Edit2 | This method may be missing authorization checks for which users can access the resource of the provided ID. |
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/ProfileController.cs b/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/ProfileController.cs
@@ -0,0 +1,20 @@
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Authorization;
+
+[Authorize]
+public class ProfileController : Controller {
+    // GOOD: The Authorize attribute of the class restricts access to this method.
+    public ActionResult Edit1(int profileId, string text) {
+        editProfileName(profileId, text);
+        return View();
+    }
+
+    // BAD: The AllowAnonymous attribute therides the Authorize attribute on the class.
+    [AllowAnonymous]
+    public ActionResult Edit2(int profileId, string text) {
+        editProfileName(profileId, text);
+        return View();
+    }
+
+    void editProfileName(int profileId, string text) { }
+}

Original file line number	Diff line number	Diff line change
`@@ -1 +1,3 @@`
`1`	`1`	`\| CommentController.cs:6:25:6:29 \| Edit1 \| This method may be missing authorization checks for which users can access the resource of the provided ID. \|`
	`2`	`+\| CommentController.cs:29:25:29:29 \| Edit4 \| This method may be missing authorization checks for which users can access the resource of the provided ID. \|`
	`3`	`+\| ProfileController.cs:14:25:14:29 \| Edit2 \| This method may be missing authorization checks for which users can access the resource of the provided ID. \|`