Skip to content

Commit 63b3e16

Browse files
joefarebrotherjoefarebrother
committed
Support Authorize attribute
1 parent 29b5f14 commit 63b3e16

1 file changed

Lines changed: 23 additions & 8 deletions

File tree

csharp/ql/lib/semmle/code/csharp/security/auth/MissingFunctionLevelAccessControlQuery.qll

Lines changed: 23 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -19,10 +19,13 @@ abstract class ActionMethod extends Method {
1919
}
2020

2121
Callable getAnAuthorizingCallable() { result = this }
22+
23+
string getARoute() { result = this.getDeclaringType().getFile().getRelativePath() }
2224
}
2325

2426
private class MvcActionMethod extends ActionMethod {
2527
MvcActionMethod() { this = any(MicrosoftAspNetCoreMvcController c).getAnActionMethod() }
28+
// override string getARoute() { none() }
2629
}
2730

2831
private class WebFormActionMethod extends ActionMethod {
@@ -83,26 +86,38 @@ class AuthorizationXmlElement extends XmlElement {
8386
result = path.getValue()
8487
)
8588
}
89+
90+
string getARoute() {
91+
result = this.getLocationTagPath()
92+
or
93+
result = this.getPhysicalPath() + "/" + this.getLocationTagPath()
94+
or
95+
not exists(this.getLocationTagPath()) and
96+
result = this.getPhysicalPath()
97+
}
8698
}
8799

88100
/**
89101
* Holds if the given action has an xml `authorization` tag that refers to it.
90102
* TODO: Currently only supports physical paths, however virtual paths defined by `AddRoute` can also be used.
91103
*/
92104
predicate hasAuthViaXml(ActionMethod m) {
93-
exists(AuthorizationXmlElement el, string path, string rest |
94-
path = (el.getPhysicalPath() + "/" + el.getLocationTagPath())
95-
or
96-
not exists(el.getLocationTagPath()) and
97-
path = el.getPhysicalPath()
98-
|
105+
exists(AuthorizationXmlElement el, string rest |
99106
el.hasDenyElement() and
100-
m.getDeclaringType().getFile().getRelativePath() = path + rest
107+
m.getARoute() = el.getARoute() + rest
101108
)
102109
}
103110

111+
predicate hasAuthViaAttribute(ActionMethod m) {
112+
[m.getAnAttribute(), m.getDeclaringType().getAnAttribute()]
113+
.getType()
114+
.hasQualifiedName("Microsoft.AspNetCore.Authorization", "AuthorizeAttribute")
115+
}
116+
104117
/** Holds if `m` is a method that should have an auth check, but is missing it. */
105118
predicate missingAuth(ActionMethod m) {
106119
m.needsAuth() and
107-
not hasAuthViaCode(m)
120+
not hasAuthViaCode(m) and
121+
not hasAuthViaXml(m) and
122+
not hasAuthViaAttribute(m)
108123
}

0 commit comments

Comments
 (0)