Skip to content

C#: Relax condition for authorize attributes on cs/web/missing-function-level-access-control. #19302

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Apr 23, 2025

Conversation

michaelnebel
Copy link
Contributor

@michaelnebel michaelnebel commented Apr 14, 2025

The change note was made mostly using CoPilot chat.
With the right context (the query, query module and another change note) it produced reasonable output.

DCA is uneventful.

@michaelnebel michaelnebel marked this pull request as ready for review April 23, 2025 06:52
@Copilot Copilot AI review requested due to automatic review settings April 23, 2025 06:52
@michaelnebel michaelnebel requested a review from a team as a code owner April 23, 2025 06:52
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR relaxes the authorization conditions in the missing-function-level-access-control query and enhances test coverage around authorization attributes.

  • Introduces a new RequirePermissionAttribute (extending AuthorizeAttribute) for testing inheritance-based authorization
  • Reformats several controller action methods to improve clarity in the test cases
  • Updates the change note to document improved detection of authorization checks

Reviewed Changes

Copilot reviewed 2 out of 5 changed files in this pull request and generated no comments.

File Description
csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MVCTests/ProfileController.cs Updated test controllers with various authorization scenarios, including the new RequirePermissionAttribute
csharp/ql/src/change-notes/2025-04-15-missing-function-level-access-control.md Added change note documenting enhanced query detection for authorization checks
Files not reviewed (3)
  • csharp/ql/lib/semmle/code/csharp/security/auth/MissingFunctionLevelAccessControlQuery.qll: Language not supported
  • csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MVCTests/MissingAccessControl.expected: Language not supported
  • csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MVCTests/MissingAccessControl.qlref: Language not supported
Comments suppressed due to low confidence (2)

csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MVCTests/ProfileController.cs:12

  • [nitpick] The '// $ Alert' marker is used to indicate a test case for missing authorization; consider adding a brief comment explaining its purpose to avoid confusion for new readers.
public ActionResult Delete1(int id) // $ Alert

csharp/ql/test/query-tests/Security Features/CWE-285/MissingAccessControl/MVCTests/ProfileController.cs:23

  • Using 'return null;' in an action method may cause unexpected behavior; consider returning a proper ActionResult (e.g., a ForbiddenResult) if this branch is meant to simulate unauthorized access.
return null;

@michaelnebel michaelnebel merged commit 62cb4bf into github:main Apr 23, 2025
23 checks passed
@michaelnebel michaelnebel deleted the csharp/missing-access-control branch April 23, 2025 07:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants