csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization

rules:
  - id: missing-or-broken-authorization
    message: Anonymous access shouldn't be allowed unless explicit by design. Access
      control checks are missing and potentially can be bypassed. This finding
      violates the principle of least privilege or deny by default, where access
      should only be permitted for a specific set of roles or conforms to a
      custom policy or users.
    severity: INFO
    metadata:
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
      category: security
      cwe:
        - "CWE-862: Missing Authorization"
      cwe2021-top25: true
      cwe2022-top25: true
      owasp:
        - A01:2021 - Broken Access Control
      references:
        - https://owasp.org/Top10/A01_2021-Broken_Access_Control
        - https://cwe.mitre.org/data/definitions/862.html
        - https://docs.microsoft.com/en-us/aspnet/core/security/authorization/simple?view=aspnetcore-7.0
      subcategory:
        - vuln
      technology:
        - .net
        - mvc
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization
    languages:
      - csharp
    patterns:
      - pattern: |
          [AllowAnonymous]
          public class $CLASS : Controller {
            ...
          }
      - pattern-inside: |
          using Microsoft.AspNetCore.Mvc;
          ...
      - pattern-not: |
          [Authorize]
          public class $CLASS : Controller {
            ...
          }
      - pattern-not: |
          [Authorize(Roles = ...)]
          public class $CLASS : Controller {
            ...
          }
      - pattern-not: |
          [Authorize(Policy = ...)]
          public class $CLASS : Controller {
            ...
          }