github
False positive: Insecure Direct Object Reference (cs/web/insecure-direct-object-reference) and Missing function level access control (cs/web/missing-function-level-access-control)
Description of the false positive
In a C# project, we have dozens of potential false positives for "Insecure Direct Object Reference (cs/web/insecure-direct-object-reference)" and "Missing function level access control (cs/web/missing-function-level-access-control)" due to the custom authorization that we use via an attribute. Please see the code example below. What would you suggest as a mitigation in this situation?
Code samples or links to source code
[Function(Functions.Event.Add)]
public void PublicFunction() {
Function1();
}
private void Function1() {
Function2();
}
private void Function2(id) {
// load object id <= Insecure Direct Object Reference (cs/web/insecure-direct-object-reference)
}
where the [Function] attribute takes the user's identity and looks if it is authorized for a specific system function. This checks for both authentication and authorization.
The "Missing function level access control (cs/web/missing-function-level-access-control)" is often reported directly on the function declaration:
[Function(Functions = new[] { Functions.Location.Edit })]
public async Task<IActionResult> Edit(string name) // <= scanner reports insecure function
Thanks for the report. Unfortunately, it looks like this code is using a custom attribute-based system for authorization, which it is hard to see how the query could recognise using general rules. If you have a suggestion for a general heuristic that would take this into account, we could consider incorporating it — otherwise I’m afraid you will need to dismiss the false positives that result.
