joefarebrother/_summary.md Secret

Created August 21, 2023 12:40

Star (0) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/joefarebrother/68fb2047c4a0ecadc95d258085d39787.js"></script>
Save joefarebrother/68fb2047c4a0ecadc95d258085d39787 to your computer and use it in GitHub Desktop.

Download ZIP

Insecure Direct Object Reference (csharp) 55 results (3 repositories)

Raw

_summary.md

Results for "Insecure Direct Object Reference"

Query

/**
 * @name Insecure Direct Object Reference
 * @description Using user input to control which object is modified without
 *              proper authorization checks allows an attacker to modify arbitrary objects.
 * @kind problem
 * @problem.severity error
 * @security-severity 7.5
 * @precision medium
 * @id cs/insecure-direct-object-reference
 * @tags security
 *       external/cwe-639
 */

import csharp
import semmle.code.csharp.security.auth.InsecureDirectObjectReferenceQuery

from ActionMethod m
where hasInsecureDirectObjectReference(m)
select m,
  "This method does verify which users should be able to access resources of the provided ID."

Summary

Repository	Results
OrchardCMS/OrchardCore	30 result(s)
umbraco/Umbraco-CMS	13 result(s)
jellyfin/jellyfin	12 result(s)

Raw

result-1-OrchardCMS-OrchardCore.md

OrchardCMS/OrchardCore

src/OrchardCore.Modules/OrchardCore.Contents/Controllers/ApiController.cs

        [HttpDelete]
        [Route("{contentItemId}")]
        public async Task<IActionResult> Delete(string contentItemId)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.AccessContentApi))

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.Demo/Controllers/ContentController.cs


        [Admin]
        public async Task<ActionResult> Edit(string contentItemId)
        {
            var contentItem = await _contentManager.GetAsync(contentItemId);

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.Demo/Controllers/ContentController.cs


        [Admin, HttpPost, ActionName("Edit")]
        public async Task<ActionResult> EditPost(string contentItemId)
        {
            var contentItem = await _contentManager.GetAsync(contentItemId);

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.Deployment/Controllers/DeploymentPlanController.cs

        }

        public async Task<IActionResult> Edit(long id)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageDeploymentPlan))

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.Deployment/Controllers/DeploymentPlanController.cs


        [HttpPost]
        public async Task<IActionResult> Delete(long id)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageDeploymentPlan))

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.Deployment/Controllers/StepController.cs

        }

        public async Task<IActionResult> Edit(long id, string stepId)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageDeploymentPlan))

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.Deployment/Controllers/StepController.cs


        [HttpPost]
        public async Task<IActionResult> Delete(long id, string stepId)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageDeploymentPlan))

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.Deployment.Remote/Controllers/RemoteClientController.cs


        [HttpPost]
        public async Task<IActionResult> Delete(string id)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageRemoteClients))

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.Deployment.Remote/Controllers/RemoteClientController.cs

        }

        public async Task<IActionResult> Edit(string id)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageRemoteClients))

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.Deployment.Remote/Controllers/RemoteInstanceController.cs


        [HttpPost]
        public async Task<IActionResult> Delete(string id)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageRemoteInstances))

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.Deployment.Remote/Controllers/RemoteInstanceController.cs

        }

        public async Task<IActionResult> Edit(string id)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageRemoteInstances))

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.Layers/Controllers/LayerRuleController.cs

        }

        public async Task<IActionResult> Edit(string name, string conditionId)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageLayers))

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.Layers/Controllers/LayerRuleController.cs


        [HttpPost]
        public async Task<IActionResult> Delete(string name, string conditionId)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageLayers))

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.OpenId/Controllers/ApplicationController.cs

        }

        public async Task<IActionResult> Edit(string id, string returnUrl = null)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageApplications))

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.OpenId/Controllers/ApplicationController.cs


        [HttpPost]
        public async Task<IActionResult> Delete(string id)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageApplications))

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.OpenId/Controllers/ScopeController.cs

        }

        public async Task<IActionResult> Edit(string id, string returnUrl = null)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageScopes))

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.OpenId/Controllers/ScopeController.cs


        [HttpPost]
        public async Task<IActionResult> Delete(string id)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageScopes))

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.Sitemaps/Controllers/SitemapIndexController.cs


        [HttpPost]
        public async Task<IActionResult> Delete(string sitemapId)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageSitemaps))

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.Sitemaps/Controllers/SitemapIndexController.cs

        }

        public async Task<IActionResult> Edit(string sitemapId)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageSitemaps))

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.Sitemaps/Controllers/SourceController.cs

        }

        public async Task<IActionResult> Edit(string sitemapId, string sourceId)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageSitemaps))

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.Sitemaps/Controllers/SourceController.cs


        [HttpPost]
        public async Task<IActionResult> Delete(string sitemapId, string sourceId)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageSitemaps))

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.Tenants/Controllers/FeatureProfilesController.cs

        }

        public async Task<IActionResult> Edit(string id)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageTenantFeatureProfiles))

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.Tenants/Controllers/FeatureProfilesController.cs


        [HttpPost]
        public async Task<IActionResult> Delete(string id)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageTenantFeatureProfiles))

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.Workflows/Controllers/ActivityController.cs

        }

        public async Task<IActionResult> Edit(long workflowTypeId, string activityId, string returnUrl)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageWorkflows))

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.Workflows/Controllers/WorkflowController.cs


        [HttpPost]
        public async Task<IActionResult> Delete(long id)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageWorkflows))

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.Workflows/Controllers/WorkflowController.cs

        [ActionName(nameof(Index))]
        [FormValueRequired("submit.BulkAction")]
        public async Task<IActionResult> BulkEdit(long workflowTypeId, WorkflowIndexOptions options, PagerParameters pagerParameters, IEnumerable<long> itemIds)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageWorkflows))

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.Workflows/Controllers/WorkflowTypeController.cs

        }

        public async Task<IActionResult> Edit(long id, string localId)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageWorkflows))

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.Workflows/Controllers/WorkflowTypeController.cs


        [HttpPost]
        public async Task<IActionResult> Delete(long id)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageWorkflows))

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.Workflows/Controllers/WorkflowTypeController.cs

        }

        public async Task<IActionResult> EditProperties(long? id, string returnUrl = null)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageWorkflows))

This method does verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.Workflows/Controllers/WorkflowTypeController.cs


        [HttpPost]
        public async Task<IActionResult> EditProperties(WorkflowTypePropertiesViewModel viewModel, long? id)
        {
            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageWorkflows))

This method does verify which users should be able to access resources of the provided ID.

Raw

result-2-umbraco-Umbraco-CMS.md

umbraco/Umbraco-CMS

src/Umbraco.Web.BackOffice/Controllers/DictionaryController.cs

    [HttpDelete]
    [HttpPost]
    public IActionResult DeleteById(int id)
    {
        IDictionaryItem? foundDictionary = _localizationService.GetDictionaryItemById(id);

This method does verify which users should be able to access resources of the provided ID.

src/Umbraco.Web.BackOffice/Controllers/ContentTypeController.cs

    [HttpPost]
    [Authorize(Policy = AuthorizationPolicies.TreeAccessDocumentTypes)]
    public IActionResult DeleteContainer(int id)
    {
        _contentTypeService.DeleteContainer(id, _backofficeSecurityAccessor.BackOfficeSecurity?.CurrentUser?.Id ?? -1);

This method does verify which users should be able to access resources of the provided ID.

src/Umbraco.Web.BackOffice/Controllers/ContentTypeController.cs

    [HttpPost]
    [Authorize(Policy = AuthorizationPolicies.TreeAccessDocumentTypes)]
    public IActionResult DeleteById(int id)
    {
        IContentType? foundType = _contentTypeService.Get(id);

This method does verify which users should be able to access resources of the provided ID.

src/Umbraco.Web.BackOffice/Controllers/ContentController.cs

    [HttpDelete]
    [HttpPost]
    public IActionResult DeleteById(int id)
    {
        IContent? foundContent = GetObjectFromRequest(() => _contentService.GetById(id));

This method does verify which users should be able to access resources of the provided ID.

src/Umbraco.Web.BackOffice/Controllers/DataTypeController.cs

        [HttpDelete]
        [HttpPost]
        public IActionResult DeleteContainer(int id)
        {

This method does verify which users should be able to access resources of the provided ID.

src/Umbraco.Web.BackOffice/Controllers/DataTypeController.cs

        [HttpDelete]
        [HttpPost]
        public IActionResult DeleteById(int id)
        {
            var foundType = _dataTypeService.GetDataType(id);

This method does verify which users should be able to access resources of the provided ID.

src/Umbraco.Web.BackOffice/Controllers/MacroRenderingController.cs

    /// <returns></returns>
    [HttpGet]
    public async Task<IActionResult> GetMacroResultAsHtmlForEditor(string macroAlias, int pageId,
        [FromQuery] IDictionary<string, object> macroParams) =>
        await GetMacroResultAsHtml(macroAlias, pageId, macroParams);

This method does verify which users should be able to access resources of the provided ID.

src/Umbraco.Web.BackOffice/Controllers/MediaController.cs

    [Authorize(Policy = AuthorizationPolicies.MediaPermissionPathById)]
    [HttpPost]
    public IActionResult DeleteById(int id)
    {
        IMedia? foundMedia = GetObjectFromRequest(() => _mediaService.GetById(id));

This method does verify which users should be able to access resources of the provided ID.

src/Umbraco.Web.BackOffice/Controllers/MediaTypeController.cs

    [HttpPost]
    [Authorize(Policy = AuthorizationPolicies.TreeAccessMediaTypes)]
    public IActionResult DeleteContainer(int id)
    {
        _mediaTypeService.DeleteContainer(id, _backofficeSecurityAccessor.BackOfficeSecurity?.CurrentUser?.Id ?? -1);

This method does verify which users should be able to access resources of the provided ID.

src/Umbraco.Web.BackOffice/Controllers/MediaTypeController.cs

    [HttpPost]
    [Authorize(Policy = AuthorizationPolicies.TreeAccessMediaTypes)]
    public IActionResult DeleteById(int id)
    {
        IMediaType? foundType = _mediaTypeService.Get(id);

This method does verify which users should be able to access resources of the provided ID.

src/Umbraco.Web.BackOffice/Controllers/MemberTypeController.cs

    [HttpDelete]
    [HttpPost]
    public IActionResult DeleteById(int id)
    {
        IMemberType? foundType = _memberTypeService.Get(id);

This method does verify which users should be able to access resources of the provided ID.

src/Umbraco.Web.BackOffice/Controllers/PackageController.cs

    [HttpPost]
    [HttpDelete]
    public IActionResult DeleteCreatedPackage(int packageId)
    {
        _packagingService.DeleteCreatedPackage(packageId, _backofficeSecurityAccessor.BackOfficeSecurity?.GetUserId().Result ?? -1);

This method does verify which users should be able to access resources of the provided ID.

src/Umbraco.Web.BackOffice/Controllers/UsersController.cs

    /// </remarks>
    [Authorize(Policy = AuthorizationPolicies.AdminUserEditsRequireAdmin)]
    public IActionResult PostDeleteNonLoggedInUser(int id)
    {
        IUser? user = _userService.GetUserById(id);

This method does verify which users should be able to access resources of the provided ID.

Raw

result-3-jellyfin-jellyfin.md

jellyfin/jellyfin

Jellyfin.Api/Controllers/DevicesController.cs

        [ProducesResponseType(StatusCodes.Status204NoContent)]
        [ProducesResponseType(StatusCodes.Status404NotFound)]
        public async Task<ActionResult> DeleteDevice([FromQuery, Required] string id)
        {
            var existingDevice = await _deviceManager.GetDevice(id).ConfigureAwait(false);

This method does verify which users should be able to access resources of the provided ID.

Jellyfin.Api/Controllers/ImageController.cs

        [ProducesResponseType(StatusCodes.Status204NoContent)]
        [ProducesResponseType(StatusCodes.Status403Forbidden)]
        public async Task<ActionResult> DeleteUserImage(
            [FromRoute, Required] Guid userId,
            [FromRoute, Required] ImageType imageType,

This method does verify which users should be able to access resources of the provided ID.

Jellyfin.Api/Controllers/ImageController.cs

        [ProducesResponseType(StatusCodes.Status204NoContent)]
        [ProducesResponseType(StatusCodes.Status403Forbidden)]
        public async Task<ActionResult> DeleteUserImageByIndex(
            [FromRoute, Required] Guid userId,
            [FromRoute, Required] ImageType imageType,

This method does verify which users should be able to access resources of the provided ID.

Jellyfin.Api/Controllers/ImageController.cs

        [ProducesResponseType(StatusCodes.Status204NoContent)]
        [ProducesResponseType(StatusCodes.Status404NotFound)]
        public async Task<ActionResult> DeleteItemImage(
            [FromRoute, Required] Guid itemId,
            [FromRoute, Required] ImageType imageType,

This method does verify which users should be able to access resources of the provided ID.

Jellyfin.Api/Controllers/ImageController.cs

        [ProducesResponseType(StatusCodes.Status204NoContent)]
        [ProducesResponseType(StatusCodes.Status404NotFound)]
        public async Task<ActionResult> DeleteItemImageByIndex(
            [FromRoute, Required] Guid itemId,
            [FromRoute, Required] ImageType imageType,

This method does verify which users should be able to access resources of the provided ID.

Jellyfin.Api/Controllers/ItemUpdateController.cs

        [ProducesResponseType(StatusCodes.Status200OK)]
        [ProducesResponseType(StatusCodes.Status404NotFound)]
        public ActionResult<MetadataEditorInfo> GetMetadataEditorInfo([FromRoute, Required] Guid itemId)
        {
            var item = _libraryManager.GetItemById(itemId);

This method does verify which users should be able to access resources of the provided ID.

Jellyfin.Api/Controllers/LibraryController.cs

        [ProducesResponseType(StatusCodes.Status204NoContent)]
        [ProducesResponseType(StatusCodes.Status401Unauthorized)]
        public async Task<ActionResult> DeleteItem(Guid itemId)
        {
            var item = _libraryManager.GetItemById(itemId);

This method does verify which users should be able to access resources of the provided ID.

Jellyfin.Api/Controllers/LiveTvController.cs

        [ProducesResponseType(StatusCodes.Status204NoContent)]
        [ProducesResponseType(StatusCodes.Status404NotFound)]
        public async Task<ActionResult> DeleteRecording([FromRoute, Required] Guid recordingId)
        {
            await AssertUserCanManageLiveTv().ConfigureAwait(false);

This method does verify which users should be able to access resources of the provided ID.

Jellyfin.Api/Controllers/SubtitleController.cs

        [ProducesResponseType(StatusCodes.Status204NoContent)]
        [ProducesResponseType(StatusCodes.Status404NotFound)]
        public ActionResult<Task> DeleteSubtitle(
            [FromRoute, Required] Guid itemId,
            [FromRoute, Required] int index)

This method does verify which users should be able to access resources of the provided ID.

Jellyfin.Api/Controllers/UserController.cs

        [ProducesResponseType(StatusCodes.Status204NoContent)]
        [ProducesResponseType(StatusCodes.Status404NotFound)]
        public async Task<ActionResult> DeleteUser([FromRoute, Required] Guid userId)
        {
            var user = _userManager.GetUserById(userId);

This method does verify which users should be able to access resources of the provided ID.

Jellyfin.Api/Controllers/UserLibraryController.cs

        [HttpDelete("Users/{userId}/Items/{itemId}/Rating")]
        [ProducesResponseType(StatusCodes.Status200OK)]
        public ActionResult<UserItemDataDto> DeleteUserItemRating([FromRoute, Required] Guid userId, [FromRoute, Required] Guid itemId)
        {
            return UpdateUserItemRatingInternal(userId, itemId, null);

This method does verify which users should be able to access resources of the provided ID.

Jellyfin.Api/Controllers/VideosController.cs

        [ProducesResponseType(StatusCodes.Status204NoContent)]
        [ProducesResponseType(StatusCodes.Status404NotFound)]
        public async Task<ActionResult> DeleteAlternateSources([FromRoute, Required] Guid itemId)
        {
            var video = (Video)_libraryManager.GetItemById(itemId);

This method does verify which users should be able to access resources of the provided ID.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment