C#-CWE-863¶

Incorrect Authorization (CWE-863): sensitive actions performed without verifying user authorization

Required inputs: CSharpAST

This rule detects **Incorrect Authorization (CWE-863)**, where a user can invoke a sensitive method (e.g., deleting, updating, or promoting resources) without proper checks for roles, ownership, or permissions. Example of vulnerable C# code:


[HttpDelete("{id}")]
public IActionResult DeleteDocument(int id)
{
    var doc = _db.Documents.Find(id);
    _db.Documents.Remove(doc);
    _db.SaveChanges();
    return Ok();
}

Remedy:


[HttpDelete("{id}")]
public IActionResult DeleteDocument(int id)
{
    var doc = _db.Documents.Find(id);
    var userId = User.FindFirst("sub")?.Value
    if (doc.OwnerId == userId)
    {
        _db.Documents.Remove(doc);
        _db.SaveChanges();
    }
    return Ok();
}

Possible Messages

Key	Text	Severity	Disabled
tainted_call	Method performs sensitive action without an authorization check.	None	False

Options

This rule shares the following common options: excludes, includes, justification_checker, post_processing, provider, severity
The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions
This rule has no individual options.

Axivion Suite 7.12.0

Navigation

C#-CWE-863¶