From fe0634574d970ebebd55eaf09e34f35831a91ec2 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Mon, 2 Feb 2026 11:09:26 +0100 Subject: [PATCH] C#: Add more tests for `InsecureDirectObjectReference.ql` --- .../CWE-639/MVCTests/CommentController.cs | 47 ++++++++++++++++--- .../InsecureDirectObjectReference.expected | 4 +- 2 files changed, 43 insertions(+), 8 deletions(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/CommentController.cs b/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/CommentController.cs index 891e8374c1cc..d446c7ed4864 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/CommentController.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/CommentController.cs @@ -1,16 +1,28 @@ using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Authorization; +using System.Threading.Tasks; + +public class CommentController : Controller +{ + private readonly IAuthorizationService _authorizationService; + + public CommentController(IAuthorizationService authorizationService) + { + _authorizationService = authorizationService; + } -public class CommentController : Controller { // BAD: Any user can access this. - public ActionResult Edit1(int commentId, string text) { + public ActionResult Edit1(int commentId, string text) + { editComment(commentId, text); return View(); } // GOOD: The user's authorization is checked. - public ActionResult Edit2(int commentId, string text) { - if (canEditComment(commentId, User.Identity.Name)){ + public ActionResult Edit2(int commentId, string text) + { + if (canEditComment(commentId, User.Identity.Name)) + { editComment(commentId, text); } return View(); @@ -18,7 +30,8 @@ public ActionResult Edit2(int commentId, string text) { // GOOD: The Authorize attribute is used [Authorize] - public ActionResult Edit3(int commentId, string text) { + public ActionResult Edit3(int commentId, string text) + { editComment(commentId, text); return View(); } @@ -26,7 +39,29 @@ public ActionResult Edit3(int commentId, string text) { // BAD: The AllowAnonymous attribute overrides the Authorize attribute [Authorize] [AllowAnonymous] - public ActionResult Edit4(int commentId, string text) { + public ActionResult Edit4(int commentId, string text) + { + editComment(commentId, text); + return View(); + } + + // GOOD: An authorization check is made. + public async Task Edit5(int commentId, string text) + { + var authResult = await _authorizationService.AuthorizeAsync(User, "Comment", "EditPolicy"); + + if (authResult.Succeeded) + { + editComment(commentId, text); + return View(); + } + return Forbid(); + } + + // GOOD: Only users with the `admin` role can access this method. + [Authorize(Roles = "admin")] + public async Task Edit6(int commentId, string text) + { editComment(commentId, text); return View(); } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/InsecureDirectObjectReference.expected b/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/InsecureDirectObjectReference.expected index 061b87dc6afe..e851a72f6a95 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/InsecureDirectObjectReference.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-639/MVCTests/InsecureDirectObjectReference.expected @@ -1,5 +1,5 @@ -| CommentController.cs:6:25:6:29 | Edit1 | This method may be missing authorization checks for which users can access the resource of the provided ID. | -| CommentController.cs:29:25:29:29 | Edit4 | This method may be missing authorization checks for which users can access the resource of the provided ID. | +| CommentController.cs:15:25:15:29 | Edit1 | This method may be missing authorization checks for which users can access the resource of the provided ID. | +| CommentController.cs:42:25:42:29 | Edit4 | This method may be missing authorization checks for which users can access the resource of the provided ID. | | MiscTestControllers.cs:26:33:26:40 | EditAnon | This method may be missing authorization checks for which users can access the resource of the provided ID. | | MiscTestControllers.cs:34:34:34:41 | EditAnon | This method may be missing authorization checks for which users can access the resource of the provided ID. | | MiscTestControllers.cs:45:25:45:29 | Edit4 | This method may be missing authorization checks for which users can access the resource of the provided ID. |