Check for authorize attributes in more namespaces and on overridden methods

joefarebrother · joefarebrother · commit a2dce6be1487 · 2023-09-15T10:25:27.000+01:00
diff --git a/csharp/ql/lib/semmle/code/csharp/security/auth/InsecureDirectObjectReferenceQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/auth/InsecureDirectObjectReferenceQuery.qll
@@ -44,9 +44,11 @@ private predicate hasAuthorizeAttribute(ActionMethod m) {
   exists(Attribute attr |
     attr.getType()
         .getABaseType*()
-        .hasQualifiedName("Microsoft.AspNetCore.Authorization", "AuthorizeAttribute")
+        .hasQualifiedName([
+            "Microsoft.AspNetCore.Authorization", "System.Web.Mvc", "System.Web.Http"
+          ], "AuthorizeAttribute")
   |
-    attr = m.getAnAttribute() or
+    attr = m.getOverridee*().getAnAttribute() or
     attr = m.getDeclaringType().getABaseType*().getAnAttribute()
   )
 }
@@ -56,14 +58,16 @@ private predicate hasAllowAnonymousAttribute(ActionMethod m) {
   exists(Attribute attr |
     attr.getType()
         .getABaseType*()
-        .hasQualifiedName("Microsoft.AspNetCore.Authorization", "AllowAnonymousAttribute")
+        .hasQualifiedName([
+            "Microsoft.AspNetCore.Authorization", "System.Web.Mvc", "System.Web.Http"
+          ], "AllowAnonymousAttribute")
   |
-    attr = m.getAnAttribute() or
+    attr = m.getOverridee*().getAnAttribute() or
     attr = m.getDeclaringType().getABaseType*().getAnAttribute()
   )
 }
 
-/** Hols if `m` is authorized via an `Authorize` attribute */
+/** Holds if `m` is authorized via an `Authorize` attribute */
 private predicate isAuthorizedViaAttribute(ActionMethod m) {
   hasAuthorizeAttribute(m) and
   not hasAllowAnonymousAttribute(m)

Original file line number	Diff line number	Diff line change
`@@ -44,9 +44,11 @@ private predicate hasAuthorizeAttribute(ActionMethod m) {`
`44`	`44`	`exists(Attribute attr \|`
`45`	`45`	`attr.getType()`
`46`	`46`	`.getABaseType*()`
`47`		`- .hasQualifiedName("Microsoft.AspNetCore.Authorization", "AuthorizeAttribute")`
	`47`	`+ .hasQualifiedName([`
	`48`	`+ "Microsoft.AspNetCore.Authorization", "System.Web.Mvc", "System.Web.Http"`
	`49`	`+ ], "AuthorizeAttribute")`
`48`	`50`	`\|`
`49`		`- attr = m.getAnAttribute() or`
	`51`	`+ attr = m.getOverridee*().getAnAttribute() or`
`50`	`52`	`attr = m.getDeclaringType().getABaseType*().getAnAttribute()`
`51`	`53`	`)`
`52`	`54`	`}`
`@@ -56,14 +58,16 @@ private predicate hasAllowAnonymousAttribute(ActionMethod m) {`
`56`	`58`	`exists(Attribute attr \|`
`57`	`59`	`attr.getType()`
`58`	`60`	`.getABaseType*()`
`59`		`- .hasQualifiedName("Microsoft.AspNetCore.Authorization", "AllowAnonymousAttribute")`
	`61`	`+ .hasQualifiedName([`
	`62`	`+ "Microsoft.AspNetCore.Authorization", "System.Web.Mvc", "System.Web.Http"`
	`63`	`+ ], "AllowAnonymousAttribute")`
`60`	`64`	`\|`
`61`		`- attr = m.getAnAttribute() or`
	`65`	`+ attr = m.getOverridee*().getAnAttribute() or`
`62`	`66`	`attr = m.getDeclaringType().getABaseType*().getAnAttribute()`
`63`	`67`	`)`
`64`	`68`	`}`
`65`	`69`
`66`		-/** Hols if `m` is authorized via an `Authorize` attribute */
	`70`	+/** Holds if `m` is authorized via an `Authorize` attribute */
`67`	`71`	`private predicate isAuthorizedViaAttribute(ActionMethod m) {`
`68`	`72`	`hasAuthorizeAttribute(m) and`
`69`	`73`	`not hasAllowAnonymousAttribute(m)`