C#: Fix whitespaces

csharp/fix-whitespaces.sh

@@ -8,7 +8,7 @@ cat > "$BASEDIR/reformat.vim" <<"EOF"
 :wq
 EOF
 
-find "$BASEDIR" \( -name "*.ql" -or -name "*.qll" -or -name "*.csv" \) -exec vim -u /dev/null -s reformat.vim {} \;
+find "$BASEDIR" \( -name "*.ql" -or -name "*.qll" -or -name "*.csv" -or -name "*.config" \) -exec vim -u /dev/null -s reformat.vim {} \;
 
 cat > reformat.vim <<"EOF"
 :set ff=unix ts=4 et

csharp/ql/src/Configuration/EmptyPasswordInConfigurationFile.config

@@ -6,36 +6,35 @@
 
     <appSettings>
         <add key="service-dir" value="/opt/deki/bin" />
-	<add key="root-uri" value="http://localhost/@api" />
+        <add key="root-uri" value="http://localhost/@api" />
         <add key="apikey" value="12345" />
         <add key="script" value="/opt/deki/bin/mindtouch.deki.startup.xml" />
     </appSettings>
-    
+
     <connectionStrings>
-  		<add name="connectionstring" providerName="System.Data.SqlClient"
-  			 connectionString="Server=(local);Database=admtest;Trusted_Connection=False;uid=sa;pwd= ;" /> <!-- VIOLATION -->
-  		<add name="connectionstring2" providerName="System.Data.SqlClient"
-  			 connectionString="Server=(local);Database=admtest;Trusted_Connection=False;uid=sa;password = whatever;" /> <!-- NON-VIOLATION -->
- 	</connectionStrings>
+      <add name="connectionstring" providerName="System.Data.SqlClient"
+         connectionString="Server=(local);Database=admtest;Trusted_Connection=False;uid=sa;pwd= ;" /> <!-- VIOLATION -->
+      <add name="connectionstring2" providerName="System.Data.SqlClient"
+         connectionString="Server=(local);Database=admtest;Trusted_Connection=False;uid=sa;password = whatever;" /> <!-- NON-VIOLATION -->
+    </connectionStrings>
 
     <system.web>
         <httpHandlers>
-            <add verb="*" path="*" 
-                  type="MindTouch.Dream.Http.HttpHandler, mindtouch.core"/> 
+            <add verb="*" path="*"
+                  type="MindTouch.Dream.Http.HttpHandler, mindtouch.core"/>
         </httpHandlers>
-	<!--<customErrors mode="Off"/>-->
-		<authentication mode="Windows|Forms|Passport|None">
-  			<forms name="name"
-       			loginUrl="url" 
-       			protection="All|None|Encryption|Validation"
-       			timeout="30" path="/" >
-     			<credentials passwordFormat="Clear|SHA1|MD5">
-      				 <user name="username" password="" /> <!-- VIOLATION -->
-     			</credentials>
-   			</forms>
-   			<passport redirectUrl="internal"/>
-		</authentication>
-	
+        <!--<customErrors mode="Off"/>-->
+        <authentication mode="Windows|Forms|Passport|None">
+            <forms name="name"
+                loginUrl="url"
+                protection="All|None|Encryption|Validation"
+                timeout="30" path="/" >
+              <credentials passwordFormat="Clear|SHA1|MD5">
+                   <user name="username" password="" /> <!-- VIOLATION -->
+              </credentials>
+            </forms>
+            <passport redirectUrl="internal"/>
+        </authentication>
     </system.web>
 
     <system.net>

csharp/ql/src/Configuration/PasswordInConfigurationFile.config

@@ -6,36 +6,35 @@
 
     <appSettings>
         <add key="service-dir" value="/opt/deki/bin" />
-	<add key="root-uri" value="http://localhost/@api" />
+        <add key="root-uri" value="http://localhost/@api" />
         <add key="apikey" value="12345" />
         <add key="script" value="/opt/deki/bin/mindtouch.deki.startup.xml" />
     </appSettings>
-    
+
     <connectionStrings>
-  		<add name="connectionstring" providerName="System.Data.SqlClient"
-  			 connectionString="Server=(local);Database=admtest;Trusted_Connection=False;uid=sa;pwd=whatever;" /> <!-- VIOLATION -->
-  		<add name="connectionstring2" providerName="System.Data.SqlClient"
-  			 connectionString="Server=(local);Database=admtest;Trusted_Connection=False;uid=sa;password = whatever;" /> <!-- VIOLATION -->
- 	</connectionStrings>
+      <add name="connectionstring" providerName="System.Data.SqlClient"
+         connectionString="Server=(local);Database=admtest;Trusted_Connection=False;uid=sa;pwd=whatever;" /> <!-- VIOLATION -->
+      <add name="connectionstring2" providerName="System.Data.SqlClient"
+         connectionString="Server=(local);Database=admtest;Trusted_Connection=False;uid=sa;password = whatever;" /> <!-- VIOLATION -->
+    </connectionStrings>
 
     <system.web>
         <httpHandlers>
-            <add verb="*" path="*" 
-                  type="MindTouch.Dream.Http.HttpHandler, mindtouch.core"/> 
+            <add verb="*" path="*"
+                  type="MindTouch.Dream.Http.HttpHandler, mindtouch.core"/>
         </httpHandlers>
-	<!--<customErrors mode="Off"/>-->
-		<authentication mode="Windows|Forms|Passport|None">
-  			<forms name="name"
-       			loginUrl="url" 
-       			protection="All|None|Encryption|Validation"
-       			timeout="30" path="/" >
-     			<credentials passwordFormat="Clear|SHA1|MD5">
-      				 <user name="username" password="password" /> <!-- VIOLATION -->
-     			</credentials>
-   			</forms>
-   			<passport redirectUrl="internal"/>
-		</authentication>
-	
+        <!--<customErrors mode="Off"/>-->
+        <authentication mode="Windows|Forms|Passport|None">
+            <forms name="name"
+                loginUrl="url"
+                 protection="All|None|Encryption|Validation"
+                timeout="30" path="/" >
+              <credentials passwordFormat="Clear|SHA1|MD5">
+                   <user name="username" password="password" /> <!-- VIOLATION -->
+              </credentials>
+            </forms>
+            <passport redirectUrl="internal"/>
+        </authentication>
     </system.web>
 
     <system.net>

csharp/ql/src/Security Features/CWE-248/BadWeb.config

@@ -5,4 +5,4 @@
       ...
     </customErrors>
   </system.web>
-</configuration>
+</configuration>

csharp/ql/src/Security Features/CWE-248/GoodWeb.config

@@ -5,4 +5,4 @@
       ...
     </customErrors>
   </system.web>
-</configuration>
+</configuration>

csharp/ql/src/Security Features/CWE-451/Web.config

@@ -9,4 +9,4 @@
       </customHeaders>
     </httpProtocol>
   </system.webServer>
-</configuration>
+</configuration>

csharp/ql/src/Security Features/CWE-614/Web.config

@@ -3,7 +3,7 @@
   <system.web>
     <authentication>
       <forms
-        requireSSL="true" 
+        requireSSL="true"
         ... />
     </authentication>
     <httpCookies

csharp/ql/src/semmle/code/csharp/security/dataflow/UrlRedirect.qll

@@ -174,7 +174,7 @@ module UrlRedirect {
       )
     }
   }
-  
+
   /**
    * Anything that is setting "location" header in the response headers.
    */
@@ -201,12 +201,12 @@ module UrlRedirect {
         this.getExpr() = add.getArgument(1))
       or // HttpResponse.Headers["location"] = <user-provided value>
       exists(RefType cl, MicrosoftAspNetCoreHttpHttpResponse resp, IndexerAccess ci, Call cs, PropertyAccess qualifier |
-        qualifier.getTarget() = resp.getHeadersProperty() and 
+        qualifier.getTarget() = resp.getHeadersProperty() and
         ci.getTarget() = cl.getAnIndexer() and
         qualifier = ci.getQualifier() and
         cs.getTarget() = cl.getAnIndexer().getSetter() and
         cs.getArgument(0).getValue().toLowerCase() = "location" and
-        this.asExpr() = cs.getArgument(1)) 
+        this.asExpr() = cs.getArgument(1))
     }
   }
 }

csharp/ql/src/semmle/code/csharp/security/dataflow/XSS.qll

@@ -526,8 +526,8 @@ module XSS {
       this.getExpr() = any(WebPageClass h).getWriteLiteralMethod().getACall().getAnArgument()
     }
 
-    override string explanation() { 
-      result = "System.Web.WebPages.WebPage.WriteLiteral() method" 
+    override string explanation() {
+      result = "System.Web.WebPages.WebPage.WriteLiteral() method"
     }
   }
 
@@ -539,9 +539,9 @@ module XSS {
     WebPageWriteLiteralToSink() {
       this.getExpr() = any(WebPageClass h).getWriteLiteralToMethod().getACall().getAnArgument()
     }
-    
-    override string explanation() { 
-      result = "System.Web.WebPages.WebPage.WriteLiteralTo() method" 
+
+    override string explanation() {
+      result = "System.Web.WebPages.WebPage.WriteLiteralTo() method"
     }
   }
 
@@ -555,9 +555,9 @@ module XSS {
     MicrosoftAspNetCoreMvcHtmlHelperRawSink() {
       this.getExpr() = any(MicrosoftAspNetCoreMvcHtmlHelperClass h).getRawMethod().getACall().getAnArgument()
     }
-  
-    override string explanation() { 
-      result = "Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method" 
+
+    override string explanation() {
+      result = "Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method"
     }
   }
 
@@ -569,19 +569,19 @@ module XSS {
     MicrosoftAspNetRazorPageWriteLiteralSink() {
       this.getExpr() = any(MicrosoftAspNetCoreMvcRazorPageBase h).getWriteLiteralMethod().getACall().getAnArgument()
     }
-    
-    override string explanation() { 
-      result = "Microsoft.AspNetCore.Mvc.Razor.RazorPageBase.WriteLiteral() method" 
+
+    override string explanation() {
+      result = "Microsoft.AspNetCore.Mvc.Razor.RazorPageBase.WriteLiteral() method"
     }
   }
-  
+
   /**
    * HtmlString that may be rendered as is need to have sanitized value
    */
   class MicrosoftAspNetHtmlStringSink extends AspNetCoreSink {
     MicrosoftAspNetHtmlStringSink() {
-      exists (ObjectCreation c, MicrosoftAspNetCoreHttpHtmlString s | 
-       c.getTarget() = s.getAConstructor() and 
+      exists (ObjectCreation c, MicrosoftAspNetCoreHttpHtmlString s |
+       c.getTarget() = s.getAConstructor() and
        this.asExpr() = c.getAnArgument())
     }
   }

csharp/ql/test/query-tests/Security Features/CWE-011/Web.config

@@ -5,4 +5,4 @@
       defaultLanguage="c#"
     />
   </system.web>
-</configuration>
+</configuration>

csharp/ql/test/query-tests/Security Features/CWE-011/bad/Web.config

@@ -6,4 +6,4 @@
       debug="true"
     />
   </system.web>
-</configuration>
+</configuration>

csharp/ql/test/query-tests/Security Features/CWE-079/XSS/XSSAspNet.cs

@@ -48,4 +48,4 @@ namespace ASP
     }
 }
 
-// source-extractor-options: /r:${testdir}/../../../../../packages/Microsoft.AspNet.WebPages.3.2.3/lib/net45/System.Web.WebPages.dll /r:${testdir}/../../../../../packages/Microsoft.AspNet.Mvc.5.2.3/lib/net45/System.Web.Mvc.dll /r:System.Dynamic.Runtime.dll /r:System.Runtime.Extensions.dll /r:System.Linq.Expressions.dll /r:System.Web.dll /r:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.dll /r:System.Collections.Specialized.dll
+// source-extractor-options: /r:${testdir}/../../../../../packages/Microsoft.AspNet.WebPages.3.2.3/lib/net45/System.Web.WebPages.dll /r:${testdir}/../../../../../packages/Microsoft.AspNet.Mvc.5.2.3/lib/net45/System.Web.Mvc.dll /r:System.Dynamic.Runtime.dll /r:System.Runtime.Extensions.dll /r:System.Linq.Expressions.dll /r:System.Web.dll /r:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.dll /r:System.Collections.Specialized.dll

csharp/ql/test/query-tests/Security Features/CWE-079/XSS/XSSAspNetCore.cs

@@ -76,4 +76,4 @@ namespace Testing.Controllers
     }
 }
 
-// initial-extractor-options: /r:netstandard.dll /r:${testdir}/../../../../../packages/Microsoft.AspNetCore.Mvc.1.1.3/lib/net451/Microsoft.AspNetCore.Mvc.dll /r:${testdir}/../../../../../packages/Microsoft.AspNetCore.Mvc.Core.1.1.3/lib/net451/Microsoft.AspNetCore.Mvc.Core.dll /r:${testdir}/../../../../../packages/Microsoft.AspNetCore.Antiforgery.1.1.2/lib/net451/Microsoft.AspNetCore.Antiforgery.dll /r:${testdir}/../../../../../packages/Microsoft.AspNetCore.Mvc.ViewFeatures.1.1.3/lib/net451/Microsoft.AspNetCore.Mvc.ViewFeatures.dll  /r:${testdir}/../../../../../packages/Microsoft.AspNetCore.Mvc.Abstractions.1.1.3/lib/net451/Microsoft.AspNetCore.Mvc.Abstractions.dll /r:${testdir}/../../../../../packages\Microsoft.AspNetCore.Http.Abstractions.1.1.2\lib\net451\Microsoft.AspNetCore.Http.Abstractions.dll /r:${testdir}/../../../../../packages/Microsoft.AspNetCore.Html.Abstractions.1.1.2/lib/netstandard1.0/Microsoft.AspNetCore.Html.Abstractions.dll /r:${testdir}/../../../../../packages/Microsoft.AspNetCore.Http.Features.1.1.2\lib\net451\Microsoft.AspNetCore.Http.Features.dll /r:${testdir}/../../../../../packages\Microsoft.Extensions.Primitives.2.1.0\lib\netstandard2.0\Microsoft.Extensions.Primitives.dll /r:System.Linq.dll /r:System.Linq.Expressions.dll /r:System.Linq.Queryable.dll
+// initial-extractor-options: /r:netstandard.dll /r:${testdir}/../../../../../packages/Microsoft.AspNetCore.Mvc.1.1.3/lib/net451/Microsoft.AspNetCore.Mvc.dll /r:${testdir}/../../../../../packages/Microsoft.AspNetCore.Mvc.Core.1.1.3/lib/net451/Microsoft.AspNetCore.Mvc.Core.dll /r:${testdir}/../../../../../packages/Microsoft.AspNetCore.Antiforgery.1.1.2/lib/net451/Microsoft.AspNetCore.Antiforgery.dll /r:${testdir}/../../../../../packages/Microsoft.AspNetCore.Mvc.ViewFeatures.1.1.3/lib/net451/Microsoft.AspNetCore.Mvc.ViewFeatures.dll  /r:${testdir}/../../../../../packages/Microsoft.AspNetCore.Mvc.Abstractions.1.1.3/lib/net451/Microsoft.AspNetCore.Mvc.Abstractions.dll /r:${testdir}/../../../../../packages\Microsoft.AspNetCore.Http.Abstractions.1.1.2\lib\net451\Microsoft.AspNetCore.Http.Abstractions.dll /r:${testdir}/../../../../../packages/Microsoft.AspNetCore.Html.Abstractions.1.1.2/lib/netstandard1.0/Microsoft.AspNetCore.Html.Abstractions.dll /r:${testdir}/../../../../../packages/Microsoft.AspNetCore.Http.Features.1.1.2\lib\net451\Microsoft.AspNetCore.Http.Features.dll /r:${testdir}/../../../../../packages\Microsoft.Extensions.Primitives.2.1.0\lib\netstandard2.0\Microsoft.Extensions.Primitives.dll /r:System.Linq.dll /r:System.Linq.Expressions.dll /r:System.Linq.Queryable.dll

csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOff/Web.config

@@ -4,4 +4,4 @@
     <customErrors mode="Off">
     </customErrors>
   </system.web>
-</configuration>
+</configuration>

csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOffButGlobal/Web.config

@@ -4,4 +4,4 @@
     <customErrors mode="Off">
     </customErrors>
   </system.web>
-</configuration>
+</configuration>

csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/CodeAddedHeader/Web.config

@@ -2,4 +2,4 @@
 <configuration>
   <system.web>
   </system.web>
-</configuration>
+</configuration>

csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/NoHeader/Web.config

@@ -2,4 +2,4 @@
 <configuration>
   <system.web>
   </system.web>
-</configuration>
+</configuration>

csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/WebConfigAddedHeader/Web.config

@@ -9,4 +9,4 @@
       </customHeaders>
     </httpProtocol>
   </system.webServer>
-</configuration>
+</configuration>

csharp/ql/test/query-tests/Security Features/CWE-548/web.config

@@ -3,4 +3,4 @@
   <system.webServer>
     <directoryBrowse enabled="true" />
   </system.webServer>
-</configuration>
+</configuration>

csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/AddedInCode/Web.config

@@ -3,4 +3,4 @@
   <system.web>
     <httpCookies />
   </system.web>
-</configuration>
+</configuration>

csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/AddedInForms/Web.config

@@ -6,4 +6,4 @@
     </authentication>
     <httpCookies />
   </system.web>
-</configuration>
+</configuration>

csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/HttpCookiesCorrect/Web.config

@@ -6,4 +6,4 @@
     </authentication>
     <httpCookies requireSSL="true"/>
   </system.web>
-</configuration>
+</configuration>

csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/RequireSSLMissing/Web.config

@@ -6,4 +6,4 @@
     </authentication>
     <httpCookies />
   </system.web>
-</configuration>
+</configuration>