Add insecure direct object reference definitions and factor out those from missing access control

joefarebrother · joefarebrother · commit a510a7b4c0ac · 2023-09-15T10:25:26.000+01:00
diff --git a/csharp/ql/lib/semmle/code/csharp/security/auth/ActionMethods.qll b/csharp/ql/lib/semmle/code/csharp/security/auth/ActionMethods.qll
@@ -0,0 +1,107 @@
+/** Common definitions for queries checking for access control measures on action methods. */
+
+import csharp
+import semmle.code.csharp.frameworks.microsoft.AspNetCore
+import semmle.code.csharp.frameworks.system.web.UI
+
+/** A method representing an action for a web endpoint. */
+abstract class ActionMethod extends Method {
+  /**
+   * Gets a string that can indicate what this method does to determine if it should have an auth check;
+   * such as its method name, class name, or file path.
+   */
+  string getADescription() {
+    result = [this.getName(), this.getDeclaringType().getBaseClass*().getName(), this.getARoute()]
+  }
+
+  /** Holds if this method may represent a stateful action such as editing or deleting */
+  predicate isEdit() {
+    exists(string str |
+      str =
+        this.getADescription()
+            // separate camelCase words
+            .regexpReplaceAll("([a-z])([A-Z])", "$1_$2")
+            .toLowerCase() and
+      str.regexpMatch(".*(edit|delete|modify|change).*") and
+      not str.regexpMatch(".*(on_?change|changed).*")
+    )
+  }
+
+  /** Holds if this method may be intended to be restricted to admin users */
+  predicate isAdmin() {
+    this.getADescription()
+        // separate camelCase words
+        .regexpReplaceAll("([a-z])([A-Z])", "$1_$2")
+        .toLowerCase()
+        .regexpMatch(".*(admin|superuser).*")
+  }
+
+  /** Holds if this method may need an authorization check. */
+  predicate needsAuth() { this.isEdit() or this.isAdmin() }
+
+  /** Gets a callable for which if it contains an auth check, this method should be considered authenticated. */
+  Callable getAnAuthorizingCallable() { result = this }
+
+  /**
+   * Gets a possible url route that could refer to this action,
+   * which would be covered by `<location>` configurations specifying a prefix of it.
+   */
+  string getARoute() { result = this.getDeclaringType().getFile().getRelativePath() }
+}
+
+/** An action method in the MVC framework. */
+private class MvcActionMethod extends ActionMethod {
+  MvcActionMethod() { this = any(MicrosoftAspNetCoreMvcController c).getAnActionMethod() }
+}
+
+/** An action method on a subclass of `System.Web.UI.Page`. */
+private class WebFormActionMethod extends ActionMethod {
+  WebFormActionMethod() {
+    this.getDeclaringType().getBaseClass+() instanceof SystemWebUIPageClass and
+    this.getAParameter().getType().getName().matches("%EventArgs")
+  }
+
+  override Callable getAnAuthorizingCallable() {
+    result = super.getAnAuthorizingCallable()
+    or
+    result.getDeclaringType() = this.getDeclaringType() and
+    result.getName() = "Page_Load"
+  }
+
+  override string getARoute() {
+    exists(string physicalRoute | physicalRoute = super.getARoute() |
+      result = physicalRoute
+      or
+      exists(string absolutePhysical |
+        virtualRouteMapping(result, absolutePhysical) and
+        physicalRouteMatches(absolutePhysical, physicalRoute)
+      )
+    )
+  }
+}
+
+/**
+ * Holds if `virtualRoute` is a URL path
+ * that can map to the corresponding `physicalRoute` filepath
+ * through a call to `MapPageRoute`
+ */
+private predicate virtualRouteMapping(string virtualRoute, string physicalRoute) {
+  exists(MethodCall mapPageRouteCall, StringLiteral virtualLit, StringLiteral physicalLit |
+    mapPageRouteCall
+        .getTarget()
+        .hasQualifiedName("System.Web.Routing", "RouteCollection", "MapPageRoute") and
+    virtualLit = mapPageRouteCall.getArgument(1) and
+    physicalLit = mapPageRouteCall.getArgument(2) and
+    virtualLit.getValue() = virtualRoute and
+    physicalLit.getValue() = physicalRoute
+  )
+}
+
+/** Holds if the filepath `route` can refer to `actual` after expanding a '~". */
+bindingset[route, actual]
+private predicate physicalRouteMatches(string route, string actual) {
+  route = actual
+  or
+  route.charAt(0) = "~" and
+  exists(string dir | actual = dir + route.suffix(1) + ".cs")
+}
diff --git a/csharp/ql/lib/semmle/code/csharp/security/auth/InsecureDirectObjectRefrerenceQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/auth/InsecureDirectObjectRefrerenceQuery.qll
@@ -0,0 +1,28 @@
+/** Definitions for the Insecure Direct Object Reference query */
+
+import csharp
+import semmle.code.csharp.dataflow.flowsources.Remote
+import ActionMethods
+
+private predicate needsChecks(ActionMethod m) { m.isEdit() and not m.isAdmin() }
+
+private predicate hasIdParameter(ActionMethod m) {
+  exists(RemoteFlowSource src | src.getEnclosingCallable() = m |
+    src.asParameter().getName().toLowerCase().matches("%id")
+    or
+    exists(StringLiteral idStr |
+      idStr.getValue().toLowerCase().matches("%id") and
+      idStr.getParent*() = src.asExpr()
+    )
+  )
+}
+
+private predicate checksUser(ActionMethod m) {
+  exists(Callable c | c.getName().toLowerCase().matches("%user%") | m.calls*(c))
+}
+
+predicate hasInsecureDirectObjectReference(ActionMethod m) {
+  needsChecks(m) and
+  hasIdParameter(m) and
+  not checksUser(m)
+}
diff --git a/csharp/ql/lib/semmle/code/csharp/security/auth/MissingFunctionLevelAccessControlQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/auth/MissingFunctionLevelAccessControlQuery.qll
@@ -4,96 +4,7 @@ import csharp
 import semmle.code.csharp.frameworks.microsoft.AspNetCore
 import semmle.code.csharp.frameworks.system.web.UI
 import semmle.code.asp.WebConfig
-
-/** A method representing an action for a web endpoint. */
-abstract class ActionMethod extends Method {
-  /**
-   * Gets a string that can indicate what this method does to determine if it should have an auth check;
-   * such as its method name, class name, or file path.
-   */
-  string getADescription() {
-    result =
-      [
-        this.getName(), this.getDeclaringType().getBaseClass*().getName(),
-        this.getDeclaringType().getFile().getRelativePath()
-      ]
-  }
-
-  /** Holds if this method may need an authorization check. */
-  predicate needsAuth() {
-    this.getADescription()
-        .regexpReplaceAll("([a-z])([A-Z])", "$1_$2")
-        // separate camelCase words
-        .toLowerCase()
-        .regexpMatch(".*(edit|delete|modify|admin|superuser).*")
-  }
-
-  /** Gets a callable for which if it contains an auth check, this method should be considered authenticated. */
-  Callable getAnAuthorizingCallable() { result = this }
-
-  /**
-   * Gets a possible url route that could refer to this action,
-   * which would be covered by `<location>` configurations specifying a prefix of it.
-   */
-  string getARoute() { result = this.getDeclaringType().getFile().getRelativePath() }
-}
-
-/** An action method in the MVC framework. */
-private class MvcActionMethod extends ActionMethod {
-  MvcActionMethod() { this = any(MicrosoftAspNetCoreMvcController c).getAnActionMethod() }
-}
-
-/** An action method on a subclass of `System.Web.UI.Page`. */
-private class WebFormActionMethod extends ActionMethod {
-  WebFormActionMethod() {
-    this.getDeclaringType().getBaseClass+() instanceof SystemWebUIPageClass and
-    this.getAParameter().getType().getName().matches("%EventArgs")
-  }
-
-  override Callable getAnAuthorizingCallable() {
-    result = super.getAnAuthorizingCallable()
-    or
-    result.getDeclaringType() = this.getDeclaringType() and
-    result.getName() = "Page_Load"
-  }
-
-  override string getARoute() {
-    exists(string physicalRoute | physicalRoute = super.getARoute() |
-      result = physicalRoute
-      or
-      exists(string absolutePhysical |
-        virtualRouteMapping(result, absolutePhysical) and
-        physicalRouteMatches(absolutePhysical, physicalRoute)
-      )
-    )
-  }
-}
-
-/**
- * Holds if `virtualRoute` is a URL path
- * that can map to the corresponding `physicalRoute` filepath
- * through a call to `MapPageRoute`
- */
-private predicate virtualRouteMapping(string virtualRoute, string physicalRoute) {
-  exists(MethodCall mapPageRouteCall, StringLiteral virtualLit, StringLiteral physicalLit |
-    mapPageRouteCall
-        .getTarget()
-        .hasQualifiedName("System.Web.Routing", "RouteCollection", "MapPageRoute") and
-    virtualLit = mapPageRouteCall.getArgument(1) and
-    physicalLit = mapPageRouteCall.getArgument(2) and
-    virtualLit.getValue() = virtualRoute and
-    physicalLit.getValue() = physicalRoute
-  )
-}
-
-/** Holds if the filepath `route` can refer to `actual` after expanding a '~". */
-bindingset[route, actual]
-private predicate physicalRouteMatches(string route, string actual) {
-  route = actual
-  or
-  route.charAt(0) = "~" and
-  exists(string dir | actual = dir + route.suffix(1) + ".cs")
-}
+import ActionMethods
 
 /** An expression that indicates that some authorization/authentication check is being performed. */
 class AuthExpr extends Expr {
