Merge pull request #15039 from joefarebrother/csharp-razor-flow-page-models

C#: Add flow steps from a PageModel to cshtml page.
2026-05-05 05:35:13 +02:00 · 2024-01-19 10:07:25 +00:00
parent 24855ddc64 e8c0fceb81
commit 4de19b3ec9
8 changed files with 205 additions and 0 deletions
--- a/Features/CWE-079/XssPageModels/TestModel.cs
+++ b/Features/CWE-079/XssPageModels/TestModel.cs
@@ -0,0 +1,20 @@
+using Microsoft.AspNetCore.Mvc.RazorPages;
+using Microsoft.AspNetCore.Mvc;
+using System.Net;
+using System.Threading.Tasks;
+namespace test;
+
+class TestModel : PageModel {
+    public string Name { get; set; } = "abc";
+
+    private string source() { return "x"; }
+
+    public async Task<IActionResult> OnPostAsync() {
+        this.Name = source();
+        return Page();
+    }
+
+    public void OnGet() { 
+        Name = source();
+    }
+}
--- a/Features/CWE-079/XssPageModels/TestPage.cshtml
+++ b/Features/CWE-079/XssPageModels/TestPage.cshtml
@@ -0,0 +1,5 @@
+@page
+@model TestModel
+@namespace test 
+
+<h3>Hello "@Html.Raw(Model.Name)"</h3>
--- a/Features/CWE-079/XssPageModels/TestPage.cshtml.g.cs
+++ b/Features/CWE-079/XssPageModels/TestPage.cshtml.g.cs
@@ -0,0 +1,65 @@
+// A hand-written test file that mimics the output of compiling a `.cshtml` file
+
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Pages.Pages_TestPage), @"mvc.1.0.razor-page", @"TestPage.cshrml")]
+namespace test.Pages
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorSourceChecksumAttribute(@"SHA1", @"c4ae76542f1958092cebd8f57beef899d20fc548", @"TestPage.cshtml")]
+    // [global::Microsoft.AspNetCore.Razor.Hosting.RazorSourceChecksumAttribute(@"SHA1", @"c13da96c2597d5ddb7d415fb4892c644a268f50b", @"/Pages/_ViewImports.cshtml")]
+    internal sealed class Pages_TestPage : global::Microsoft.AspNetCore.Mvc.RazorPages.Page
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#nullable disable
+            WriteLiteral("<h3>Hello \"");
+#nullable restore
+#line 5 "TestPage.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+        }
+              #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<TestModel> Html { get; private set; } = default!;
+        #nullable disable
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.ViewDataDictionary<TestModel> ViewData => (global::Microsoft.AspNetCore.Mvc.ViewFeatures.ViewDataDictionary<TestModel>)PageContext?.ViewData;
+        public TestModel Model => ViewData.Model;    }
+}
+#pragma warning restore 1591
--- a/Features/CWE-079/XssPageModels/options
+++ b/Features/CWE-079/XssPageModels/options
@@ -0,0 +1,3 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
+semmle-extractor-options: --load-sources-from-project:../../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj
--- a/Features/CWE-079/XssPageModels/test.expected
+++ b/Features/CWE-079/XssPageModels/test.expected
@@ -0,0 +1,23 @@
+edges
+| TestModel.cs:13:9:13:12 | [post] this access : TestModel [property Name] : String | TestModel.cs:14:16:14:21 | this access : TestModel [property Name] : String |
+| TestModel.cs:13:21:13:28 | call to method source : String | TestModel.cs:13:9:13:12 | [post] this access : TestModel [property Name] : String |
+| TestModel.cs:14:16:14:21 | this access : TestModel [property Name] : String | TestPage.cshtml.g.cs:63:35:63:48 | access to property Model : TestModel [property Name] : String |
+| TestModel.cs:14:16:14:21 | this access : TestModel [property Name] : String | TestPage.cshtml:5:16:5:20 | access to property Model : TestModel [property Name] : String |
+| TestModel.cs:18:9:18:12 | [post] this access : TestModel [property Name] : String | TestPage.cshtml.g.cs:63:35:63:48 | access to property Model : TestModel [property Name] : String |
+| TestModel.cs:18:9:18:12 | [post] this access : TestModel [property Name] : String | TestPage.cshtml:5:16:5:20 | access to property Model : TestModel [property Name] : String |
+| TestModel.cs:18:16:18:23 | call to method source : String | TestModel.cs:18:9:18:12 | [post] this access : TestModel [property Name] : String |
+| TestPage.cshtml.g.cs:63:35:63:48 | access to property Model : TestModel [property Name] : String | TestPage.cshtml:5:16:5:20 | access to property Model : TestModel [property Name] : String |
+| TestPage.cshtml:5:16:5:20 | access to property Model : TestModel [property Name] : String | TestPage.cshtml:5:16:5:25 | access to property Name |
+nodes
+| TestModel.cs:13:9:13:12 | [post] this access : TestModel [property Name] : String | semmle.label | [post] this access : TestModel [property Name] : String |
+| TestModel.cs:13:21:13:28 | call to method source : String | semmle.label | call to method source : String |
+| TestModel.cs:14:16:14:21 | this access : TestModel [property Name] : String | semmle.label | this access : TestModel [property Name] : String |
+| TestModel.cs:18:9:18:12 | [post] this access : TestModel [property Name] : String | semmle.label | [post] this access : TestModel [property Name] : String |
+| TestModel.cs:18:16:18:23 | call to method source : String | semmle.label | call to method source : String |
+| TestPage.cshtml.g.cs:63:35:63:48 | access to property Model : TestModel [property Name] : String | semmle.label | access to property Model : TestModel [property Name] : String |
+| TestPage.cshtml:5:16:5:20 | access to property Model : TestModel [property Name] : String | semmle.label | access to property Model : TestModel [property Name] : String |
+| TestPage.cshtml:5:16:5:25 | access to property Name | semmle.label | access to property Name |
+subpaths
+#select
+| TestPage.cshtml:5:16:5:25 | access to property Name | TestModel.cs:13:21:13:28 | call to method source : String | TestPage.cshtml:5:16:5:25 | access to property Name | Xss |
+| TestPage.cshtml:5:16:5:25 | access to property Name | TestModel.cs:18:16:18:23 | call to method source : String | TestPage.cshtml:5:16:5:25 | access to property Name | Xss |
--- a/Features/CWE-079/XssPageModels/test.ql
+++ b/Features/CWE-079/XssPageModels/test.ql
@@ -0,0 +1,25 @@
+/**
+ * @kind path-problem
+ */
+
+import csharp
+import semmle.code.csharp.security.dataflow.XSSQuery
+import semmle.code.csharp.security.dataflow.XSSSinks
+
+module TestXssTrackingConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source.asExpr().(MethodCall).getTarget().getName() = "source"
+  }
+
+  predicate isSink = XssTrackingConfig::isSink/1;
+
+  predicate isBarrier = XssTrackingConfig::isBarrier/1;
+}
+
+module TestXss = TaintTracking::Global<TestXssTrackingConfig>;
+
+import TestXss::PathGraph
+
+from TestXss::PathNode source, TestXss::PathNode sink
+where TestXss::flowPath(source, sink)
+select sink, source, sink, "Xss"