Merge pull request #2356 from cldrn/ASPNetRequestValidationMode

Adds CodeQL query to check for insecure RequestValidationMode in ASP.NET
2026-04-30 03:05:15 +02:00 · 2019-12-04 17:02:08 +00:00
parent 343385bd2e fcd13dc595
commit 73c8888361
15 changed files with 104 additions and 4 deletions
--- a/Features/CWE-016/ASPNetRequestValidationMode.qhelp
+++ b/Features/CWE-016/ASPNetRequestValidationMode.qhelp
@@ -0,0 +1,52 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+	<overview>
+		<p>
+			The <code>requestValidationMode</code> attribute in ASP.NET is used to configure built-in validation to
+			protect applications against code injections. Downgrading or disabling
+			this configuration is not recommended. The default value of 4.5
+			is the only recommended value, as previous versions only test a subset of requests.
+		</p>
+
+	</overview>
+	<recommendation>
+
+		<p>
+			Always set <code>requestValidationMode</code> to 4.5, or leave it at its default value.
+		</p>
+
+	</recommendation>
+	<example>
+
+		<p>
+			The following example shows the <code>requestValidationMode</code>
+			attribute set to a value of 4.0, which disables some protections and
+			ignores individual <code>Page</code> directives:
+		</p>
+
+		<sample src="ASPNetRequestValidationModeBad.config" />
+
+		<p>
+			Setting the value to 4.5 enables request validation for all requests:
+		</p>
+
+		<sample src="ASPNetRequestValidationModeGood.config" />
+
+	</example>
+	<references>
+
+		<li>
+			Microsoft:
+			<a
+				href="https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.httpruntimesection.requestvalidationmode?view=netframework-4.8">HttpRuntimeSection.RequestValidationMode Property
+				</a>.
+		</li>
+		<li>
+			OWASP:
+			<a
+				href="https://www.owasp.org/index.php/ASP.NET_Request_Validation">ASP.NET Request Validation</a>.
+		</li>
+	</references>
+
+</qhelp>
--- a/Features/CWE-016/ASPNetRequestValidationMode.ql
+++ b/Features/CWE-016/ASPNetRequestValidationMode.ql
@@ -0,0 +1,20 @@
+/**
+ * @name Insecure configuration for ASP.NET requestValidationMode
+ * @description Setting 'requestValidationMode' to less than 4.5 disables built-in validations
+ *              included by default in ASP.NET. Disabling or downgrading this protection is not
+ *              recommended.
+ * @kind problem
+ * @id cs/insecure-request-validation-mode
+ * @problem.severity warning
+ * @tags security
+ *       external/cwe/cwe-016
+ */
+
+import csharp
+
+from XMLAttribute reqValidationMode
+where
+  reqValidationMode.getName().toLowerCase() = "requestvalidationmode" and
+  reqValidationMode.getValue().toFloat() < 4.5
+select reqValidationMode,
+  "Insecure value for requestValidationMode (" + reqValidationMode.getValue() + ")."
--- a/Features/CWE-016/ASPNetRequestValidationModeBad.config
+++ b/Features/CWE-016/ASPNetRequestValidationModeBad.config
@@ -0,0 +1,5 @@
+<configuration>
+  <system.web>
+    <httpRuntime requestValidationMode="4.0"/>
+  </system.web>
+</configuration>
--- a/Features/CWE-016/ASPNetRequestValidationModeGood.config
+++ b/Features/CWE-016/ASPNetRequestValidationModeGood.config
@@ -0,0 +1,5 @@
+<configuration>
+  <system.web>
+    <httpRuntime requestValidationMode="4.5"/>
+  </system.web>
+</configuration>