You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
False positive: Insecure Direct Object Reference (cs/web/insecure-direct-object-reference) and Missing function level access control (cs/web/missing-function-level-access-control)
#16327
Open
alensiljak opened this issue
Apr 25, 2024
· 1 comment
In a C# project, we have dozens of potential false positives for "Insecure Direct Object Reference (cs/web/insecure-direct-object-reference)" and "Missing function level access control (cs/web/missing-function-level-access-control)" due to the custom authorization that we use via an attribute. Please see the code example below.
What would you suggest as a mitigation in this situation?
Code samples or links to source code
[Function(Functions.Event.Add)]
public void PublicFunction() {
Function1();
}
private void Function1() {
Function2();
}
private void Function2(id) {
// load object id <= Insecure Direct Object Reference (cs/web/insecure-direct-object-reference)
}
where the [Function] attribute takes the user's identity and looks if it is authorized for a specific system function. This checks for both authentication and authorization.
The "Missing function level access control (cs/web/missing-function-level-access-control)" is often reported directly on the function declaration:
[Function(Functions = new[] { Functions.Location.Edit })]
public async Task<IActionResult> Edit(string name) // <= scanner reports insecure function
The text was updated successfully, but these errors were encountered:
Thanks for the report. Unfortunately, it looks like this code is using a custom attribute-based system for authorization, which it is hard to see how the query could recognise using general rules. If you have a suggestion for a general heuristic that would take this into account, we could consider incorporating it — otherwise I’m afraid you will need to dismiss the false positives that result.
Description of the false positive
In a C# project, we have dozens of potential false positives for "Insecure Direct Object Reference (cs/web/insecure-direct-object-reference)" and "Missing function level access control (cs/web/missing-function-level-access-control)" due to the custom authorization that we use via an attribute. Please see the code example below.
What would you suggest as a mitigation in this situation?
Code samples or links to source code
where the
[Function]
attribute takes the user's identity and looks if it is authorized for a specific system function. This checks for both authentication and authorization.The "Missing function level access control (cs/web/missing-function-level-access-control)" is often reported directly on the function declaration:
The text was updated successfully, but these errors were encountered: