Merge pull request github#13094 from joefarebrother/csharp-missing-access-control

C#: Add query for missing function level access control

Author: joefarebrother

csharp/ql/lib/semmle/code/csharp/security/auth/MissingFunctionLevelAccessControlQuery.qll

@@ -0,0 +1,183 @@
+/** Definitions for the missing function level access control query */
+
+import csharp
+import semmle.code.csharp.frameworks.microsoft.AspNetCore
+import semmle.code.csharp.frameworks.system.web.UI
+import semmle.code.asp.WebConfig
+
+/** A method representing an action for a web endpoint. */
+abstract class ActionMethod extends Method {
+  /**
+   * Gets a string that can indicate what this method does to determine if it should have an auth check;
+   * such as its method name, class name, or file path.
+   */
+  string getADescription() {
+    result =
+      [
+        this.getName(), this.getDeclaringType().getBaseClass*().getName(),
+        this.getDeclaringType().getFile().getRelativePath()
+      ]
+  }
+
+  /** Holds if this method may need an authorization check. */
+  predicate needsAuth() {
+    this.getADescription()
+        .regexpReplaceAll("([a-z])([A-Z])", "$1_$2")
+        // separate camelCase words
+        .toLowerCase()
+        .regexpMatch(".*(edit|delete|modify|admin|superuser).*")
+  }
+
+  /** Gets a callable for which if it contains an auth check, this method should be considered authenticated. */
+  Callable getAnAuthorizingCallable() { result = this }
+
+  /**
+   * Gets a possible url route that could refer to this action,
+   * which would be covered by `<location>` configurations specifying a prefix of it.
+   */
+  string getARoute() { result = this.getDeclaringType().getFile().getRelativePath() }
+}
+
+/** An action method in the MVC framework. */
+private class MvcActionMethod extends ActionMethod {
+  MvcActionMethod() { this = any(MicrosoftAspNetCoreMvcController c).getAnActionMethod() }
+}
+
+/** An action method on a subclass of `System.Web.UI.Page`. */
+private class WebFormActionMethod extends ActionMethod {
+  WebFormActionMethod() {
+    this.getDeclaringType().getBaseClass+() instanceof SystemWebUIPageClass and
+    this.getAParameter().getType().getName().matches("%EventArgs")
+  }
+
+  override Callable getAnAuthorizingCallable() {
+    result = super.getAnAuthorizingCallable()
+    or
+    result.getDeclaringType() = this.getDeclaringType() and
+    result.getName() = "Page_Load"
+  }
+
+  override string getARoute() {
+    exists(string physicalRoute | physicalRoute = super.getARoute() |
+      result = physicalRoute
+      or
+      exists(string absolutePhysical |
+        virtualRouteMapping(result, absolutePhysical) and
+        physicalRouteMatches(absolutePhysical, physicalRoute)
+      )
+    )
+  }
+}
+
+/**
+ * Holds if `virtualRoute` is a URL path
+ * that can map to the corresponding `physicalRoute` filepath
+ * through a call to `MapPageRoute`
+ */
+private predicate virtualRouteMapping(string virtualRoute, string physicalRoute) {
+  exists(MethodCall mapPageRouteCall, StringLiteral virtualLit, StringLiteral physicalLit |
+    mapPageRouteCall
+        .getTarget()
+        .hasQualifiedName("System.Web.Routing", "RouteCollection", "MapPageRoute") and
+    virtualLit = mapPageRouteCall.getArgument(1) and
+    physicalLit = mapPageRouteCall.getArgument(2) and
+    virtualLit.getValue() = virtualRoute and
+    physicalLit.getValue() = physicalRoute
+  )
+}
+
+/** Holds if the filepath `route` can refer to `actual` after expanding a '~". */
+bindingset[route, actual]
+private predicate physicalRouteMatches(string route, string actual) {
+  route = actual
+  or
+  route.charAt(0) = "~" and
+  exists(string dir | actual = dir + route.suffix(1) + ".cs")
+}
+
+/** An expression that indicates that some authorization/authentication check is being performed. */
+class AuthExpr extends Expr {
+  AuthExpr() {
+    this.(MethodCall)
+        .getTarget()
+        .hasQualifiedName("System.Security.Principal", "IPrincipal", "IsInRole")
+    or
+    this.(PropertyAccess)
+        .getTarget()
+        .hasQualifiedName("System.Security.Principal", "IIdentity", ["IsAuthenticated", "Name"])
+    or
+    this.(MethodCall).getTarget().getName().toLowerCase().matches("%auth%")
+    or
+    this.(PropertyAccess).getTarget().getName().toLowerCase().matches("%auth%")
+  }
+}
+
+/** Holds if `m` is a method that should have an auth check, and does indeed have one. */
+predicate hasAuthViaCode(ActionMethod m) {
+  m.needsAuth() and
+  exists(Callable caller, AuthExpr auth |
+    m.getAnAuthorizingCallable().calls*(caller) and
+    auth.getEnclosingCallable() = caller
+  )
+}
+
+/** An `<authorization>` XML element. */
+class AuthorizationXmlElement extends XmlElement {
+  AuthorizationXmlElement() {
+    this.getParent() instanceof SystemWebXmlElement and
+    this.getName().toLowerCase() = "authorization"
+  }
+
+  /** Holds if this element has a `<deny>` element to deny access to a resource. */
+  predicate hasDenyElement() { this.getAChild().getName().toLowerCase() = "deny" }
+
+  /** Gets the physical filepath of this element. */
+  string getPhysicalPath() { result = this.getFile().getParentContainer().getRelativePath() }
+
+  /** Gets the path specified by a `<location>` tag containing this element, if any. */
+  string getLocationTagPath() {
+    exists(LocationXmlElement loc, XmlAttribute path |
+      loc = this.getParent().(SystemWebXmlElement).getParent() and
+      path = loc.getAnAttribute() and
+      path.getName().toLowerCase() = "path" and
+      result = path.getValue()
+    )
+  }
+
+  /** Gets a route prefix that this configuration can refer to. */
+  string getARoute() {
+    result = this.getLocationTagPath()
+    or
+    result = this.getPhysicalPath() + "/" + this.getLocationTagPath()
+    or
+    not exists(this.getLocationTagPath()) and
+    result = this.getPhysicalPath()
+  }
+}
+
+/**
+ * Holds if the given action has an xml `authorization` tag that refers to it.
+ */
+predicate hasAuthViaXml(ActionMethod m) {
+  exists(AuthorizationXmlElement el, string rest |
+    el.hasDenyElement() and
+    m.getARoute() = el.getARoute() + rest
+  )
+}
+
+/** Holds if the given action has an attribute that indications authorization. */
+predicate hasAuthViaAttribute(ActionMethod m) {
+  exists(Attribute attr | attr.getType().getName().toLowerCase().matches("%auth%") |
+    attr = m.getAnAttribute() or
+    attr = m.getDeclaringType().getABaseType*().getAnAttribute()
+  )
+}
+
+/** Holds if `m` is a method that should have an auth check, but is missing it. */
+predicate missingAuth(ActionMethod m) {
+  m.needsAuth() and
+  not hasAuthViaCode(m) and
+  not hasAuthViaXml(m) and
+  not hasAuthViaAttribute(m) and
+  exists(m.getBody().getAChildStmt()) // exclude empty methods
+}

csharp/ql/src/Security Features/CWE-285/MVC.cs

@@ -0,0 +1,13 @@
+public class ProfileController : Controller {
+
+    // BAD: No authorization is used.
+    public ActionResult Edit(int id) {
+        ...
+    }
+
+    // GOOD: The `Authorize` attribute is used.
+    [Authorize]
+    public ActionResult Delete(int id) {
+        ...
+    }
+}

csharp/ql/src/Security Features/CWE-285/MissingAccessControl.qhelp

@@ -0,0 +1,54 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Sensitive actions, such as editing or deleting content, or accessing admin pages, should have authorization checks 
+to ensure that they cannot be used by malicious actors.
+</p>
+
+</overview>
+<recommendation>
+
+<p>
+Ensure that proper authorization checks are made for sensitive actions. 
+For WebForms applications, the <code>authorization</code> tag in <code>Web.config</code> XML files 
+can be used to implement access control. The <code>System.Web.UI.Page.User</code> property can also be 
+used to verify a user's role. 
+For MVC applications, the <code>Authorize</code> attribute can be used to require authorization on specific 
+action methods.
+</p>
+
+</recommendation>
+<example>
+
+<p>
+In the following WebForms example, the case marked BAD has no authorization checks whereas the 
+case marked GOOD uses <code>User.IsInRole</code> to check for the user's role.
+</p>
+
+<sample src="WebForms.cs" />
+
+<p>
+The following <code>Web.config</code> file uses the <code>authorization</code> tag to deny access to anonymous users,
+in a <code>location</code> tag to have that configuration apply to a specific path.
+</p>
+
+<sample src="Web.config" />
+
+<p>
+In the following MVC example, the case marked BAD has no authorization
+checks whereas the case marked GOOD uses the <code>Authorize</code> attribute.
+</p>
+
+<sample src="MVC.cs" />
+
+</example>
+<references>
+<li><code>Page.User</code> Property - <a href="https://learn.microsoft.com/en-us/dotnet/api/system.web.ui.page.user?view=netframework-4.8.1#system-web-ui-page-user">Microsoft Learn</a>.</li>
+<li>Control authorization permissions in an ASP.NET application - <a href="https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/aspnet/www-authentication-authorization/authorization-permissions">Microsoft Learn</a>.</li>
+<li>Simple authorization in ASP.NET Core - <a href="https://learn.microsoft.com/en-us/aspnet/core/security/authorization/simple?view=aspnetcore-7.0">Microsoft Learn</a>.</li>
+</references>
+</qhelp>

csharp/ql/src/Security Features/CWE-285/MissingAccessControl.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Missing function level access control
+ * @description Sensitive actions should have authorization checks to prevent them from being used by malicious actors.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 7.5
+ * @precision medium
+ * @id cs/web/missing-function-level-access-control
+ * @tags security
+ *       external/cwe/cwe-285
+ *       external/cwe/cwe-284
+ *       external/cwe/cwe-862
+ */
+
+import csharp
+import semmle.code.csharp.security.auth.MissingFunctionLevelAccessControlQuery
+
+from Method m
+where missingAuth(m)
+select m, "This action is missing an authorization check."

csharp/ql/src/Security Features/CWE-285/Web.config

@@ -0,0 +1,11 @@
+<?xml version="1.0"?>
+
+<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
+  <location path="User/Profile">
+    <system.web>
+      <authorization>
+        <deny users="?" />
+      </authorization>
+    </system.web>
+  </location>
+</configuration>

csharp/ql/src/Security Features/CWE-285/WebForms.cs

@@ -0,0 +1,14 @@
+class ProfilePage : System.Web.UI.Page {
+    // BAD: No authorization is used
+    protected void btn1_Edit_Click(object sender, EventArgs e) {
+        ...
+    }
+
+    // GOOD: `User.IsInRole` checks the current user's role.
+    protected void btn2_Delete_Click(object sender, EventArgs e) {
+        if (!User.IsInRole("admin")) {
+            return;
+        }
+        ...
+    }
+} 

csharp/ql/src/change-notes/2023-06-14-missing-access-control.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query, `cs/web/missing-function-level-access-control`, to find instances of missing authorization checks.

csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MVCTests/MissingAccessControl.expected

@@ -0,0 +1 @@
+| ProfileController.cs:9:25:9:31 | Delete1 | This action is missing an authorization check. |

csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MVCTests/MissingAccessControl.qlref

@@ -0,0 +1 @@
+Security Features/CWE-285/MissingAccessControl.ql

csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MVCTests/ProfileController.cs

@@ -0,0 +1,30 @@
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Authorization;
+
+public class ProfileController : Controller {
+    private void doThings() { }
+    private bool isAuthorized() { return false; }
+
+    // BAD: This is a Delete method, but no auth is specified.
+    public ActionResult Delete1(int id) {
+        doThings();
+        return View();
+    }
+
+    // GOOD: isAuthorized is checked.
+    public ActionResult Delete2(int id) {
+        if (!isAuthorized()) {
+            return null;
+        }
+        doThings();
+        return View();
+    }
+
+    // GOOD: The Authorize attribute is used.
+    [Authorize]
+    public ActionResult Delete3(int id) {
+        doThings();
+        return View();
+    }
+
+}