Add additional example to qhelp + additional resource

joefarebrother · joefarebrother · commit a022893f0fc6 · 2023-09-15T10:25:27.000+01:00
diff --git a/csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.qhelp b/csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.qhelp
@@ -18,13 +18,16 @@ Ensure that the current user is authorized to access the resource of the provide
 <p>In the following example, in the case marked BAD, there is no authorization check, so any user is able to edit any comment.
 In the case marked GOOD, there is a check that the current usr matches the author of the comment.</p>
 <sample src="WebFormsExample.cs" />
+<p>The following example shows a similar case for the ASP.NET Core framweork.</p>
+<sample src="MVCExample.cs" />
 
 
 </example>
 <references>
 
   <li>OWASP - <a href="https://wiki.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References">Insecure Direct Object Refrences</a>.</li>
   <li>OWASP - <a href="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References">Testing for Insecure Direct Object References</a>.</li>
+  <li>Microsoft Learn = <a href="https://learn.microsoft.com/en-us/aspnet/core/security/authorization/resourcebased?view=aspnetcore-7.0">Resource-based authorization in ASP.NET Core</a>.</li>
 
 </references>
 </qhelp>
diff --git a/csharp/ql/src/Security Features/CWE-639/MVCExample.cs b/csharp/ql/src/Security Features/CWE-639/MVCExample.cs
@@ -0,0 +1,35 @@
+public class CommentController : Controller {
+    private readonly IAuthorizationService _authorizationService;
+    private readonly IDocumentRepository _commentRepository;
+
+    public CommentController(IAuthorizationService authorizationService,
+                              ICommentRepository commentRepository)
+    {
+        _authorizationService = authorizationService;
+        _commentRepository = commentRepository;
+    }
+
+    // BAD: Any user can access this.
+    public async Task<IActionResult> Edit1(int commentId, string text) {
+        Comment comment = _commentRepository.Find(commentId);
+        
+        comment.Text = text;
+
+        return View();
+    }
+
+    // GOOD: An authorization check is made.
+    public async Task<IActionResult> Edit2(int commentId, string text) {
+        Comment comment = _commentRepository.Find(commentId);
+        
+        var authResult = await _authorizationService.AuthorizeAsync(User, Comment, "EditPolicy");
+
+        if (authResult.Succeeded) {
+            comment.Text = text;
+            return View();
+        }
+        else {
+            return ForbidResult();
+        }
+    }
+}
