False positive: missing-function-level-access-control with custom Authorize attribute

[phil000]

Description of the false positive

We are using .NET and C# code scanning.

The issue raised is 'cs/web/missing-function-level-access-control'

We have a custom attribute 'RequirePermission' on the action methods (or sometimes on the controller) that inherits from [Authorize] attribute. This is providing the access control.

e.g. Action Method

[RequirePermission(OnSendPermissions.ManagePricing)]
[HttpDelete("{extraId:int:min(1)}/rates/{rateId:int:min(1)}")]
public async Task<IActionResult> DeleteDeliveryExtraRate(int extraId, int rateId)

e.g. Custom Authorize Attribute that checks permissions

public class RequirePermissionAttribute : AuthorizeAttribute

Presumably you are not checking attribute inheritance.

[michaelnebel]

Yes, I think you are right; The query uses the attribute name (and not any attribute type super types) to get an indication whether permissions are controlled by attributes.

[michaelnebel]

This will be addressed here: #19302

[michaelnebel]

Thank you for reporting this and for providing details on, what you think the issue is! It is a big time saver!