Add additional test cases

2026-04-30 19:26:02 +02:00 · 2023-10-17 16:58:20 +01:00
parent f84b2a96af
commit 7691cbce87
4 changed files with 113 additions and 4 deletions
--- a/Features/CWE-079/XSSRazorPages/Controllers/TestController.cs
+++ b/Features/CWE-079/XSSRazorPages/Controllers/TestController.cs
@@ -67,9 +67,7 @@ public class Test2Controller : Controller {
        return helper(tainted11);
    }

-    private IActionResult helper(UserData x) {
-        return View("Test11", x);
-    }
+    private IActionResult helper(UserData x) { return View("Test11", x); }

    public IActionResult Test12(UserData tainted12) {
        // Expected to find nothing.
@@ -79,4 +77,32 @@ public class Test2Controller : Controller {
    private IActionResult helper2(UserData x) {
        return View(x);
    }    
+
+    private IActionResult test13(UserData tainted13) {
+        // Expected to find file /Views/Other/Test13.cshtml
+        return Helper.helper3(this, tainted13);
+    }
+
+    private IActionResult test14(UserData tainted14) {
+        // Expected to find file /Views/Shared/Test14.cshtml and NOT /Views/Test2/Test14.cshtml
+        return Helper.helper4(this, tainted14);
+    }
+
+}
+
+class Helper {
+    public static IActionResult helper3(Controller c, UserData x) { return c.View("/Views/Other/Test13.cshtml", x); }
+
+    public static IActionResult helper4(Controller c, UserData x) { return c.View("Test14", x); }
+}
+
+public class Test3Controller : Controller {
+    public void Setup(RazorViewEngineOptions o) {
+        o.ViewLocationFormats.Add("/Views/Custom/{1}/{0}.cshtml");
+    }
+
+    private IActionResult Test15(UserData tainted14) {
+        // Expected to find file /Views/Custom/Test3/Test15.cshtml
+        return View(x);
+    }
 }
--- a/Features/CWE-079/XSSRazorPages/Generated/Views_Custom_Test3_Test15.cshtml.g.cs
+++ b/Features/CWE-079/XSSRazorPages/Generated/Views_Custom_Test3_Test15.cshtml.g.cs
@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Custom_Test3_Test15), @"mvc.1.0.view", @"/Views/Custom/Test3/Test15.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Custom/Test3/Test15.cshtml")]
+    public class Views_Custom_Test3_Test15 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Custom/Test3/Test15.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Custom/Test3/Test15.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Custom/Test3/Test15.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591
--- a/Features/CWE-079/XSSRazorPages/Views/Custom/Test3/Test15.cshtml
+++ b/Features/CWE-079/XSSRazorPages/Views/Custom/Test3/Test15.cshtml
@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}