Merge pull request github#13882 from joefarebrother/csharp-insecure-direct-object-ref

C#: Add query for Insecure Direct Object Reference

Author: joefarebrother

csharp/ql/lib/semmle/code/csharp/security/auth/ActionMethods.qll

@@ -0,0 +1,107 @@
+/** Common definitions for queries checking for access control measures on action methods. */
+
+import csharp
+import semmle.code.csharp.frameworks.microsoft.AspNetCore
+import semmle.code.csharp.frameworks.system.web.UI
+
+/** A method representing an action for a web endpoint. */
+abstract class ActionMethod extends Method {
+  /**
+   * Gets a string that can indicate what this method does to determine if it should have an auth check;
+   * such as its method name, class name, or file path.
+   */
+  string getADescription() {
+    result = [this.getName(), this.getDeclaringType().getBaseClass*().getName(), this.getARoute()]
+  }
+
+  /** Holds if this method may represent a stateful action such as editing or deleting */
+  predicate isEdit() {
+    exists(string str |
+      str =
+        this.getADescription()
+            // separate camelCase words
+            .regexpReplaceAll("([a-z])([A-Z])", "$1_$2") and
+      str.regexpMatch("(?i).*(edit|delete|modify|change).*") and
+      not str.regexpMatch("(?i).*(on_?change|changed).*")
+    )
+  }
+
+  /** Holds if this method may be intended to be restricted to admin users */
+  predicate isAdmin() {
+    this.getADescription()
+        // separate camelCase words
+        .regexpReplaceAll("([a-z])([A-Z])", "$1_$2")
+        .regexpMatch("(?i).*(admin|superuser).*")
+  }
+
+  /** Gets a callable for which if it contains an auth check, this method should be considered authenticated. */
+  Callable getAnAuthorizingCallable() { result = this }
+
+  /**
+   * Gets a possible url route that could refer to this action,
+   * which would be covered by `<location>` configurations specifying a prefix of it.
+   */
+  string getARoute() { result = this.getDeclaringType().getFile().getRelativePath() }
+}
+
+/** An action method in the MVC framework. */
+private class MvcActionMethod extends ActionMethod {
+  MvcActionMethod() { this = any(MicrosoftAspNetCoreMvcController c).getAnActionMethod() }
+}
+
+/** An action method on a subclass of `System.Web.UI.Page`. */
+private class WebFormActionMethod extends ActionMethod {
+  WebFormActionMethod() {
+    this.getDeclaringType().getBaseClass+() instanceof SystemWebUIPageClass and
+    this.getAParameter().getType().getName().matches("%EventArgs")
+  }
+
+  override Callable getAnAuthorizingCallable() {
+    result = super.getAnAuthorizingCallable()
+    or
+    pageLoad(result, this.getDeclaringType())
+  }
+
+  override string getARoute() {
+    exists(string physicalRoute | physicalRoute = super.getARoute() |
+      result = physicalRoute
+      or
+      exists(string absolutePhysical |
+        virtualRouteMapping(result, absolutePhysical) and
+        physicalRouteMatches(absolutePhysical, physicalRoute)
+      )
+    )
+  }
+}
+
+pragma[nomagic]
+private predicate pageLoad(Callable c, Type decl) {
+  c.getName() = "Page_Load" and
+  decl = c.getDeclaringType()
+}
+
+/**
+ * Holds if `virtualRoute` is a URL path
+ * that can map to the corresponding `physicalRoute` filepath
+ * through a call to `MapPageRoute`
+ */
+private predicate virtualRouteMapping(string virtualRoute, string physicalRoute) {
+  exists(MethodCall mapPageRouteCall, StringLiteral virtualLit, StringLiteral physicalLit |
+    mapPageRouteCall
+        .getTarget()
+        .hasQualifiedName("System.Web.Routing", "RouteCollection", "MapPageRoute") and
+    virtualLit = mapPageRouteCall.getArgument(1) and
+    physicalLit = mapPageRouteCall.getArgument(2) and
+    virtualLit.getValue() = virtualRoute and
+    physicalLit.getValue() = physicalRoute
+  )
+}
+
+/** Holds if the filepath `route` can refer to `actual` after expanding a '~". */
+bindingset[route, actual]
+private predicate physicalRouteMatches(string route, string actual) {
+  route = actual
+  or
+  route.charAt(0) = "~" and
+  exists(string dir | actual = dir + route.suffix(1) + ".cs")
+}

csharp/ql/lib/semmle/code/csharp/security/auth/InsecureDirectObjectReferenceQuery.qll

@@ -0,0 +1,96 @@
+/** Definitions for the Insecure Direct Object Reference query */
+
+import csharp
+import semmle.code.csharp.dataflow.flowsources.Remote
+import ActionMethods
+
+/**
+ * Holds if `m` is a method that may require checks
+ * against the current user to modify a particular resource.
+ */
+// We exclude admin methods as it may be expected that an admin user should be able to modify any resource.
+// Other queries check that there are authorization checks in place for admin methods.
+private predicate needsChecks(ActionMethod m) { m.isEdit() and not m.isAdmin() }
+
+/**
+ * Holds if `m` has a parameter or access a remote flow source
+ * that may indicate that it's used as the ID for some resource
+ */
+private predicate hasIdParameter(ActionMethod m) {
+  exists(RemoteFlowSource src | src.getEnclosingCallable() = m |
+    src.asParameter().getName().toLowerCase().matches(["%id", "%idx"])
+    or
+    // handle cases like `Request.QueryString["Id"]`
+    exists(StringLiteral idStr, IndexerCall idx |
+      idStr.getValue().toLowerCase().matches(["%id", "%idx"]) and
+      TaintTracking::localTaint(src, DataFlow::exprNode(idx.getQualifier())) and
+      DataFlow::localExprFlow(idStr, idx.getArgument(0))
+    )
+  )
+}
+
+private predicate authorizingCallable(Callable c) {
+  exists(string name | name = c.getName().toLowerCase() |
+    name.matches(["%user%", "%session%"]) and
+    not name.matches("%get%by%") // methods like `getUserById` or `getXByUsername` aren't likely to be referring to the current user
+  )
+}
+
+/** Holds if `m` at some point in its call graph may make some kind of check against the current user. */
+private predicate checksUser(ActionMethod m) {
+  exists(Callable c |
+    authorizingCallable(c) and
+    callsPlus(m, c)
+  )
+}
+
+private predicate calls(Callable c1, Callable c2) { c1.calls(c2) }
+
+private predicate callsPlus(Callable c1, Callable c2) = fastTC(calls/2)(c1, c2)
+
+/** Holds if `m`, its containing class, or a parent class has an attribute that extends `AuthorizeAttribute` */
+private predicate hasAuthorizeAttribute(ActionMethod m) {
+  exists(Attribute attr |
+    attr.getType()
+        .getABaseType*()
+        .hasQualifiedName([
+            "Microsoft.AspNetCore.Authorization", "System.Web.Mvc", "System.Web.Http"
+          ], "AuthorizeAttribute")
+  |
+    attr = m.getOverridee*().getAnAttribute() or
+    attr = m.getDeclaringType().getABaseType*().getAnAttribute()
+  )
+}
+
+/** Holds if `m`, its containing class, or a parent class has an attribute that extends `AllowAnonymousAttribute` */
+private predicate hasAllowAnonymousAttribute(ActionMethod m) {
+  exists(Attribute attr |
+    attr.getType()
+        .getABaseType*()
+        .hasQualifiedName([
+            "Microsoft.AspNetCore.Authorization", "System.Web.Mvc", "System.Web.Http"
+          ], "AllowAnonymousAttribute")
+  |
+    attr = m.getOverridee*().getAnAttribute() or
+    attr = m.getDeclaringType().getABaseType*().getAnAttribute()
+  )
+}
+
+/** Holds if `m` is authorized via an `Authorize` attribute */
+private predicate isAuthorizedViaAttribute(ActionMethod m) {
+  hasAuthorizeAttribute(m) and
+  not hasAllowAnonymousAttribute(m)
+}
+
+/**
+ * Holds if `m` is a method that modifies a particular resource based on
+ * an ID provided by user input, but does not check anything based on the current user
+ * to determine if they should modify this resource.
+ */
+predicate hasInsecureDirectObjectReference(ActionMethod m) {
+  needsChecks(m) and
+  hasIdParameter(m) and
+  not checksUser(m) and
+  not isAuthorizedViaAttribute(m) and
+  exists(m.getBody().getAChildStmt())
+}

csharp/ql/lib/semmle/code/csharp/security/auth/MissingFunctionLevelAccessControlQuery.qll

@@ -4,96 +4,10 @@ import csharp
 import semmle.code.csharp.frameworks.microsoft.AspNetCore
 import semmle.code.csharp.frameworks.system.web.UI
 import semmle.code.asp.WebConfig
+import ActionMethods
 
-/** A method representing an action for a web endpoint. */
-abstract class ActionMethod extends Method {
-  /**
-   * Gets a string that can indicate what this method does to determine if it should have an auth check;
-   * such as its method name, class name, or file path.
-   */
-  string getADescription() {
-    result =
-      [
-        this.getName(), this.getDeclaringType().getBaseClass*().getName(),
-        this.getDeclaringType().getFile().getRelativePath()
-      ]
-  }
-
-  /** Holds if this method may need an authorization check. */
-  predicate needsAuth() {
-    this.getADescription()
-        .regexpReplaceAll("([a-z])([A-Z])", "$1_$2")
-        // separate camelCase words
-        .toLowerCase()
-        .regexpMatch(".*(edit|delete|modify|admin|superuser).*")
-  }
-
-  /** Gets a callable for which if it contains an auth check, this method should be considered authenticated. */
-  Callable getAnAuthorizingCallable() { result = this }
-
-  /**
-   * Gets a possible url route that could refer to this action,
-   * which would be covered by `<location>` configurations specifying a prefix of it.
-   */
-  string getARoute() { result = this.getDeclaringType().getFile().getRelativePath() }
-}
-
-/** An action method in the MVC framework. */
-private class MvcActionMethod extends ActionMethod {
-  MvcActionMethod() { this = any(MicrosoftAspNetCoreMvcController c).getAnActionMethod() }
-}
-
-/** An action method on a subclass of `System.Web.UI.Page`. */
-private class WebFormActionMethod extends ActionMethod {
-  WebFormActionMethod() {
-    this.getDeclaringType().getBaseClass+() instanceof SystemWebUIPageClass and
-    this.getAParameter().getType().getName().matches("%EventArgs")
-  }
-
-  override Callable getAnAuthorizingCallable() {
-    result = super.getAnAuthorizingCallable()
-    or
-    result.getDeclaringType() = this.getDeclaringType() and
-    result.getName() = "Page_Load"
-  }
-
-  override string getARoute() {
-    exists(string physicalRoute | physicalRoute = super.getARoute() |
-      result = physicalRoute
-      or
-      exists(string absolutePhysical |
-        virtualRouteMapping(result, absolutePhysical) and
-        physicalRouteMatches(absolutePhysical, physicalRoute)
-      )
-    )
-  }
-}
-
-/**
- * Holds if `virtualRoute` is a URL path
- * that can map to the corresponding `physicalRoute` filepath
- * through a call to `MapPageRoute`
- */
-private predicate virtualRouteMapping(string virtualRoute, string physicalRoute) {
-  exists(MethodCall mapPageRouteCall, StringLiteral virtualLit, StringLiteral physicalLit |
-    mapPageRouteCall
-        .getTarget()
-        .hasQualifiedName("System.Web.Routing", "RouteCollection", "MapPageRoute") and
-    virtualLit = mapPageRouteCall.getArgument(1) and
-    physicalLit = mapPageRouteCall.getArgument(2) and
-    virtualLit.getValue() = virtualRoute and
-    physicalLit.getValue() = physicalRoute
-  )
-}
-
-/** Holds if the filepath `route` can refer to `actual` after expanding a '~". */
-bindingset[route, actual]
-private predicate physicalRouteMatches(string route, string actual) {
-  route = actual
-  or
-  route.charAt(0) = "~" and
-  exists(string dir | actual = dir + route.suffix(1) + ".cs")
-}
+/** Holds if the method `m` may need an authorization check. */
+predicate needsAuth(ActionMethod m) { m.isEdit() or m.isAdmin() }
 
 /** An expression that indicates that some authorization/authentication check is being performed. */
 class AuthExpr extends Expr {
@@ -114,7 +28,7 @@ class AuthExpr extends Expr {
 
 /** Holds if `m` is a method that should have an auth check, and does indeed have one. */
 predicate hasAuthViaCode(ActionMethod m) {
-  m.needsAuth() and
+  needsAuth(m) and
   exists(Callable caller, AuthExpr auth |
     m.getAnAuthorizingCallable().calls*(caller) and
     auth.getEnclosingCallable() = caller
@@ -175,7 +89,7 @@ predicate hasAuthViaAttribute(ActionMethod m) {
 
 /** Holds if `m` is a method that should have an auth check, but is missing it. */
 predicate missingAuth(ActionMethod m) {
-  m.needsAuth() and
+  needsAuth(m) and
   not hasAuthViaCode(m) and
   not hasAuthViaXml(m) and
   not hasAuthViaAttribute(m) and

csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.qhelp

@@ -0,0 +1,30 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Resources like comments or user profiles can be accessed and modified through an action method. To target a certain resource, the action method accepts an ID parameter pointing to that specific resource. If the methods do not check that the current user is authorized to access the specified resource, an attacker can access a resource by guessing or otherwise determining the linked ID parameter.</p>
+
+</overview>
+<recommendation>
+<p>
+Ensure that the current user is authorized to access the resource of the provided ID.
+</p>
+
+</recommendation>
+<example>
+<p>In the following example, in the "BAD" case, there is no authorization check, so any user can edit any comment for which they guess or determine the ID parameter.
+The "GOOD" case includes a check that the current user matches the author of the comment, preventing unauthorized access.</p>
+<sample src="WebFormsExample.cs" />
+<p>The following example shows a similar scenario for the ASP.NET Core framework. As above, the "BAD" case provides an example with no authorization check, and the first "GOOD" case provides an example with a check that the current user authored the specified comment. Additionally, in the second "GOOD" case, the `Authorize` attribute is used to restrict the method to administrators, who are expected to be able to access arbitrary resources.</p>
+<sample src="MVCExample.cs" />
+
+</example>
+<references>
+
+  <li>OWASP: <a href="https://wiki.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References">Insecure Direct Object Refrences</a>.</li>
+  <li>OWASP: <a href="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References">Testing for Insecure Direct Object References</a>.</li>
+  <li>Microsoft Learn: <a href="https://learn.microsoft.com/en-us/aspnet/core/security/authorization/resourcebased?view=aspnetcore-7.0">Resource-based authorization in ASP.NET Core</a>.</li>
+
+</references>
+</qhelp>

csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Insecure Direct Object Reference
+ * @description Using user input to control which object is modified without
+ *              proper authorization checks allows an attacker to modify arbitrary objects.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 7.5
+ * @precision medium
+ * @id cs/web/insecure-direct-object-reference
+ * @tags security
+ *       external/cwe-639
+ */
+
+import csharp
+import semmle.code.csharp.security.auth.InsecureDirectObjectReferenceQuery
+
+from ActionMethod m
+where hasInsecureDirectObjectReference(m)
+select m,
+  "This method may be missing authorization checks for which users can access the resource of the provided ID."