From 130f8f148b2bc221dbfe41023f17645c492a0ab2 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 9 Jan 2026 15:24:47 +0000 Subject: [PATCH] Convert barrier to MaD I confirmed that without the model a test fails. --- csharp/ql/lib/ext/System.Web.model.yml | 6 ++++++ .../code/csharp/security/dataflow/UrlRedirectQuery.qll | 10 ---------- 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/csharp/ql/lib/ext/System.Web.model.yml b/csharp/ql/lib/ext/System.Web.model.yml index ba644e1cc70..6d05cdae75b 100644 --- a/csharp/ql/lib/ext/System.Web.model.yml +++ b/csharp/ql/lib/ext/System.Web.model.yml @@ -1,4 +1,10 @@ extensions: + - addsTo: + pack: codeql/csharp-all + extensible: barrierModel + data: + # The RawUrl property is considered to be safe for URL redirects + - ["System.Web", "HttpRequest", False, "get_RawUrl", "()", "", "ReturnValue", "url-redirection", "manual"] - addsTo: pack: codeql/csharp-all extensible: sinkModel diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll index e7cbf237762..bad6c990fa7 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll @@ -189,16 +189,6 @@ class HostComparisonSanitizer extends Sanitizer { } } -/** - * A call to the getter of the RawUrl property, whose value is considered to be safe for URL - * redirects. - */ -class RawUrlSanitizer extends Sanitizer { - RawUrlSanitizer() { - this.getExpr() = any(SystemWebHttpRequestClass r).getRawUrlProperty().getGetter().getACall() - } -} - /** * A string concatenation expression, where the left hand side contains the character "?". *