joefarebrother/_summary.md Secret

Created August 21, 2023 12:38

Star (0) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/joefarebrother/a4f8daefefc3910fbf656c2514ebcdc6.js"></script>
Save joefarebrother/a4f8daefefc3910fbf656c2514ebcdc6 to your computer and use it in GitHub Desktop.

Download ZIP

Insecure Direct Object Reference (csharp) 23 results (9 repositories)

Raw

_summary.md

Results for "Insecure Direct Object Reference"

Query

/**
 * @name Insecure Direct Object Reference
 * @description Using user input to control which object is modified without
 *              proper authorization checks allows an attacker to modify arbitrary objects.
 * @kind problem
 * @problem.severity error
 * @security-severity 7.5
 * @precision medium
 * @id cs/insecure-direct-object-reference
 * @tags security
 *       external/cwe-639
 */

import csharp
import semmle.code.csharp.security.auth.InsecureDirectObjectReferenceQuery

from ActionMethod m
where hasInsecureDirectObjectReference(m)
select m,
  "This method may not verify which users should be able to access resources of the provided ID."

Summary

Repository	Results
umbraco/Umbraco-CMS	8 result(s)
jellyfin/jellyfin	3 result(s)
aspnetrun/run-aspnetcore-microservices	2 result(s)
dotnet-architecture/eShopOnContainers	2 result(s)
open-telemetry/opentelemetry-dotnet	2 result(s)
OrchardCMS/OrchardCore	2 result(s)
ThreeMammals/Ocelot	2 result(s)
abpframework/abp	1 result(s)
aws/aws-lambda-dotnet	1 result(s)

Raw

result-1-umbraco-Umbraco-CMS.md

umbraco/Umbraco-CMS

src/Umbraco.Cms.ManagementApi/Controllers/Language/DeleteLanguageController.cs

    [ProducesResponseType(StatusCodes.Status200OK)]
    // TODO: This needs to be an authorized endpoint.
    public async Task<IActionResult> Delete(int id)
    {
        ILanguage? language = _localizationService.GetLanguageById(id);

This method may not verify which users should be able to access resources of the provided ID.

src/Umbraco.Web.BackOffice/Controllers/ContentController.cs

    [HttpDelete]
    [HttpPost]
    public IActionResult DeleteBlueprint(int id)
    {
        IContent? found = _contentService.GetBlueprintById(id);

This method may not verify which users should be able to access resources of the provided ID.

src/Umbraco.Web.BackOffice/Controllers/LanguageController.cs

    [HttpDelete]
    [HttpPost]
    public IActionResult DeleteLanguage(int id)
    {
        ILanguage? language = _localizationService.GetLanguageById(id);

This method may not verify which users should be able to access resources of the provided ID.

src/Umbraco.Web.BackOffice/Controllers/MacrosController.cs


    [HttpPost]
    public IActionResult DeleteById(int id)
    {
        IMacro? macro = _macroService.GetById(id);

This method may not verify which users should be able to access resources of the provided ID.

src/Umbraco.Web.BackOffice/Controllers/MemberGroupController.cs

    [HttpDelete]
    [HttpPost]
    public IActionResult DeleteById(int id)
    {
        IMemberGroup? memberGroup = _memberGroupService.GetById(id);

This method may not verify which users should be able to access resources of the provided ID.

src/Umbraco.Web.BackOffice/Controllers/RedirectUrlManagementController.cs


    [HttpPost]
    public IActionResult DeleteRedirectUrl(Guid id)
    {
        _redirectUrlService.Delete(id);

This method may not verify which users should be able to access resources of the provided ID.

src/Umbraco.Web.BackOffice/Controllers/RelationTypeController.cs

    [HttpPost]
    [HttpDelete]
    public IActionResult DeleteById(int id)
    {
        IRelationType? relationType = _relationService.GetRelationTypeById(id);

This method may not verify which users should be able to access resources of the provided ID.

src/Umbraco.Web.BackOffice/Controllers/TemplateController.cs

    [HttpDelete]
    [HttpPost]
    public IActionResult DeleteById(int id)
    {
        ITemplate? template = _fileService.GetTemplate(id);

This method may not verify which users should be able to access resources of the provided ID.

Raw

result-2-jellyfin-jellyfin.md

jellyfin/jellyfin

Jellyfin.Api/Controllers/DlnaController.cs

        [ProducesResponseType(StatusCodes.Status204NoContent)]
        [ProducesResponseType(StatusCodes.Status404NotFound)]
        public ActionResult DeleteProfile([FromRoute, Required] string profileId)
        {
            var existingDeviceProfile = _dlnaManager.GetProfile(profileId);

This method may not verify which users should be able to access resources of the provided ID.

Jellyfin.Api/Controllers/LiveTvController.cs

        [Authorize(Policy = Policies.DefaultAuthorization)]
        [ProducesResponseType(StatusCodes.Status204NoContent)]
        public ActionResult DeleteTunerHost([FromQuery] string? id)
        {
            var config = _configurationManager.GetConfiguration<LiveTvOptions>("livetv");

This method may not verify which users should be able to access resources of the provided ID.

Jellyfin.Api/Controllers/LiveTvController.cs

        [Authorize(Policy = Policies.DefaultAuthorization)]
        [ProducesResponseType(StatusCodes.Status204NoContent)]
        public ActionResult DeleteListingProvider([FromQuery] string? id)
        {
            _liveTvManager.DeleteListingsProvider(id);

This method may not verify which users should be able to access resources of the provided ID.

Raw

result-3-aspnetrun-run-aspnetcore-microservices.md

aspnetrun/run-aspnetcore-microservices

src/Services/Catalog/Catalog.API/Controllers/CatalogController.cs

        [HttpDelete("{id:length(24)}", Name = "DeleteProduct")]        
        [ProducesResponseType(typeof(Product), (int)HttpStatusCode.OK)]
        public async Task<IActionResult> DeleteProductById(string id)
        {
            return Ok(await _repository.DeleteProduct(id));

This method may not verify which users should be able to access resources of the provided ID.

src/Services/Ordering/Ordering.API/Controllers/OrderController.cs

        [ProducesResponseType(StatusCodes.Status404NotFound)]
        [ProducesDefaultResponseType]
        public async Task<ActionResult> DeleteOrder(int id)
        {
            var command = new DeleteOrderCommand() { Id = id };

This method may not verify which users should be able to access resources of the provided ID.

Raw

result-4-dotnet-architecture-eShopOnContainers.md

dotnet-architecture/eShopOnContainers

src/Services/Basket/Basket.API/Controllers/BasketController.cs

    [HttpDelete("{id}")]
    [ProducesResponseType(StatusCodes.Status200OK)]
    public async Task DeleteBasketByIdAsync(string id)
    {
        await _repository.DeleteBasketAsync(id);

This method may not verify which users should be able to access resources of the provided ID.

src/Services/Catalog/Catalog.API/Controllers/CatalogController.cs

    [ProducesResponseType(StatusCodes.Status204NoContent)]
    [ProducesResponseType(StatusCodes.Status404NotFound)]
    public async Task<ActionResult> DeleteProductAsync(int id)
    {
        var product = _catalogContext.CatalogItems.SingleOrDefault(x => x.Id == id);

This method may not verify which users should be able to access resources of the provided ID.

Raw

result-5-open-telemetry-opentelemetry-dotnet.md

open-telemetry/opentelemetry-dotnet

test/TestApp.AspNetCore.3.1/Controllers/ValuesController.cs

        // DELETE api/values/5
        [HttpDelete("{id}")]
        public void Delete(int id)
        {
        }

This method may not verify which users should be able to access resources of the provided ID.

test/TestApp.AspNetCore.6.0/Controllers/ValuesController.cs

        // DELETE api/values/5
        [HttpDelete("{id}")]
        public void Delete(int id)
        {
        }

This method may not verify which users should be able to access resources of the provided ID.

Raw

result-6-OrchardCMS-OrchardCore.md

OrchardCMS/OrchardCore

src/OrchardCore.Modules/OrchardCore.Demo/Controllers/TodoController.cs

        }

        public async Task<IActionResult> Delete(string todoId)
        {
            var model = (await _session.Query<TodoModel>().ListAsync())

This method may not verify which users should be able to access resources of the provided ID.

src/OrchardCore.Modules/OrchardCore.Demo/Controllers/TodoController.cs

        }

        public async Task<IActionResult> Edit(string todoId)
        {
            var model = (await _session.Query<TodoModel>().ListAsync())

This method may not verify which users should be able to access resources of the provided ID.

Raw

result-7-ThreeMammals-Ocelot.md

ThreeMammals/Ocelot

samples/OcelotKube/DownstreamService/Controllers/ValuesController.cs

    // DELETE api/values/5
    [HttpDelete("{id}")]
    public void Delete(int id)
    {
    }

This method may not verify which users should be able to access resources of the provided ID.

samples/OcelotServiceFabric/src/OcelotApplicationService/Controllers/ValuesController.cs

        // DELETE api/values/5
        [HttpDelete("{id}")]
        public void Delete(int id)
        {
        }

This method may not verify which users should be able to access resources of the provided ID.

Raw

result-8-abpframework-abp.md

abpframework/abp

framework/test/Volo.Abp.Http.Client.Tests/Volo/Abp/Http/DynamicProxying/RegularTestController.cs

    [HttpDelete]
    [Route("delete-by-id")]
    public Task<int> DeleteByIdAsync(int id)
    {
        return Task.FromResult(id + 1);

This method may not verify which users should be able to access resources of the provided ID.

Raw

result-9-aws-aws-lambda-dotnet.md

aws/aws-lambda-dotnet

Libraries/test/TestWebApp/Controllers/ValuesController.cs

        // DELETE api/values/5
        [HttpDelete("{id}")]
        public void Delete(int id)
        {
        }

This method may not verify which users should be able to access resources of the provided ID.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment