hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-21 23:14:03 +02:00
Code Issues Packages Projects Releases Wiki Activity

Separate area view discovery list for increased precision

Browse Source
This commit is contained in:
Joe Farebrother
2023-10-24 16:09:58 +01:00
parent f2c3d83d9e
commit 826111dc08
7 changed files with 237 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSFlowSteps.qll
View File

@@ -68,6 +68,9 @@ private class ViewCall extends MethodCall {
result = attr.getArgument(0).(StringLiteral).getValue()
)
}
/** `result` is `true` if this cal is from a controller that is an an Area, `false` otherwise. */
boolean hasArea() { if exists(this.getAreaName()) then result = true else result = false }
}
/** A compiler-generated Razor page. */
@@ -119,38 +122,43 @@ private predicate viewCallRefersToPageRelative(ViewCall vc, RazorPage rp) {
}
/** Gets the `i`th template for view discovery. */
private string getViewSearchTemplate(int i) {
i = 0 and result = "/Areas/{2}/Views/{1}/{0}.cshtml"
private string getViewSearchTemplate(int i, boolean isArea) {
i = 0 and result = "/Areas/{2}/Views/{1}/{0}.cshtml" and isArea = true
or
i = 1 and result = "/Areas/{2}/Views/Shared/{0}.cshtml"
i = 1 and result = "/Areas/{2}/Views/Shared/{0}.cshtml" and isArea = true
or
i = 2 and result = "/Views/{1}/{0}.cshtml"
i = 2 and result = "/Views/{1}/{0}.cshtml" and isArea = false
or
i = 3 and result = "/Views/Shared/{0}.cshtml"
i = 3 and result = "/Views/Shared/{0}.cshtml" and isArea = [true, false]
or
i = 4 and result = getAViewSearchTemplateInCode()
i = 4 and result = "/Pages/Shared/{0}.cshtml" and isArea = true
or
i = 5 and result = getAViewSearchTemplateInCode(isArea)
}
/** Gets an additional template used for view discovery defined in code. */
private string getAViewSearchTemplateInCode() {
private string getAViewSearchTemplateInCode(boolean isArea) {
exists(StringLiteral str, MethodCall addCall |
addCall.getTarget().hasName("Add") and
DataFlow::localExprFlow(str, addCall.getArgument(0)) and
addCall.getQualifier() = getAViewLocationList() and
addCall.getQualifier() = getAViewLocationList(isArea) and
result = str.getValue()
)
}
/** Gets a list expression containing view search locations */
private Expr getAViewLocationList() {
result
.(PropertyRead)
.getProperty()
.hasQualifiedName("Microsoft.AspNetCore.Mvc.Razor", "RazorViewEngineOptions",
[
"ViewLocationFormats", "AreaViewLocationFormats",
//"PageViewLocationFormats","AreaPageViewLocationFormats"
])
private Expr getAViewLocationList(boolean isArea) {
exists(string name |
result
.(PropertyRead)
.getProperty()
.hasQualifiedName("Microsoft.AspNetCore.Mvc.Razor", "RazorViewEngineOptions", name)
|
name = "ViewLocationFormats" and isArea = false
or
name = "AreaViewLocationFormats" and isArea = true
// PageViewLocationFormats and AreaPageViewLocationFormats are used for calls within a page rather than a controller
)
}
/** A filepath that should be searched for a View call. */
@@ -160,7 +168,7 @@ private class RelativeViewCallFilepath extends NormalizableFilepath {
RelativeViewCallFilepath() {
exists(string template, string sub2, string sub1, string sub0 |
template = getViewSearchTemplate(idx_)
template = getViewSearchTemplate(idx_, vc_.hasArea())
|
(
if template.matches("%{2}%")

13
csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Controllers/TestController.cs
View File

@@ -101,6 +101,7 @@ public class Test3Controller : Controller {
public void Setup(RazorViewEngineOptions o) {
o.ViewLocationFormats.Add("/Views/Custom/{1}/{0}.cshtml");
o.ViewLocationFormats.Add("~/Views/Custom2/{0}.cshtml");
o.AreaViewLocationFormats.Add("/MyAreas/{2}/{1}/{0}.cshtml");
}
public IActionResult Test15(UserData tainted15) {
@@ -132,7 +133,17 @@ public class Test4Controller : Controller {
}
public IActionResult test20(UserData tainted20) {
// SPURIOUS: Expected to find nothing (and NOT /Views/Test4/Test20.cshtml).
// Expected to find nothing (and NOT /Views/Test4/Test20.cshtml).
return View("Test20", tainted20);
}
public IActionResult test21(UserData tainted21) {
// Expected to find file /Pages/Shared/Test21.cshtml
return View("Test21", tainted21);
}
public IActionResult test22(UserData tainted22) {
// Expected to find file /MyAreas/TestArea/Test4/Test22.cshtml
return View("Test22", tainted22);
}
}

74
csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/MyAreas_Test4_Test22.cshtml.g.cs Normal file
View File

@@ -0,0 +1,74 @@
// A test file that mimics the output of compiling a `.cshtml` file
// <auto-generated/>
#pragma warning disable 1591
[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.MyAreas_Test4_Test22), @"mvc.1.0.view", @"/MyAreas/Test4/Test22.cshtml")]
namespace test.Views
{
#line hidden
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Rendering;
using Microsoft.AspNetCore.Mvc.ViewFeatures;
#nullable restore
using test;
#line default
#line hidden
#nullable disable
[global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/MyAreas/Test4/Test22.cshtml")]
public class MyAreas_Test4_Test22 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
{
#pragma warning disable 1998
public async override global::System.Threading.Tasks.Task ExecuteAsync()
{
#line 6 "MyAreas/Test4/Test22.cshtml"
if (Model != null)
{
#line default
#line hidden
#nullable disable
WriteLiteral(" <h3>Hello \"");
#nullable restore
#line 8 "MyAreas/Test4/Test22.cshtml"
Write(Html.Raw(Model.Name));
#line default
#line hidden
#nullable disable
WriteLiteral("\"</h3>\n");
#nullable restore
#line 9 "MyAreas/Test4/Test22.cshtml"
}
#line default
#line hidden
#nullable disable
}
#pragma warning restore 1998
#nullable restore
[global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
#nullable disable
#nullable restore
[global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
#nullable disable
#nullable restore
[global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
#nullable disable
#nullable restore
[global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
#nullable disable
#nullable restore
[global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
#nullable disable
}
}
#pragma warning restore 1591

74
csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Pages_Shared_Test21.cshtml.g.cs Normal file
View File

@@ -0,0 +1,74 @@
// A test file that mimics the output of compiling a `.cshtml` file
// <auto-generated/>
#pragma warning disable 1591
[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Pages_Shared_Test21), @"mvc.1.0.view", @"/Pages/Shared/Test21.cshtml")]
namespace test.Views
{
#line hidden
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Rendering;
using Microsoft.AspNetCore.Mvc.ViewFeatures;
#nullable restore
using test;
#line default
#line hidden
#nullable disable
[global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Pages/Shared/Test21.cshtml")]
public class Pages_Shared_Test21 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
{
#pragma warning disable 1998
public async override global::System.Threading.Tasks.Task ExecuteAsync()
{
#line 6 "Pages/Shared/Test21.cshtml"
if (Model != null)
{
#line default
#line hidden
#nullable disable
WriteLiteral(" <h3>Hello \"");
#nullable restore
#line 8 "Pages/Shared/Test21.cshtml"
Write(Html.Raw(Model.Name));
#line default
#line hidden
#nullable disable
WriteLiteral("\"</h3>\n");
#nullable restore
#line 9 "Pages/Shared/Test21.cshtml"
}
#line default
#line hidden
#nullable disable
}
#pragma warning restore 1998
#nullable restore
[global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
#nullable disable
#nullable restore
[global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
#nullable disable
#nullable restore
[global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
#nullable disable
#nullable restore
[global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
#nullable disable
#nullable restore
[global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
#nullable disable
}
}
#pragma warning restore 1591

9
csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/MyAreas/Test4/Test22.cshtml Normal file
View File

@@ -0,0 +1,9 @@
@namespace test
@model UserData
@{
}
@if (Model != null)
{
<h3>Hello "@Html.Raw(Model.Name)"</h3>
}

9
csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Pages/Shared/Test21.cshtml Normal file
View File

@@ -0,0 +1,9 @@
@namespace test
@model UserData
@{
}
@if (Model != null)
{
<h3>Hello "@Html.Raw(Model.Name)"</h3>
}

66
csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/XSS.expected
View File

@@ -33,18 +33,19 @@ edges
| Controllers/TestController.cs:95:113:95:113 | access to parameter x : UserData | Views/Other/Test13.cshtml:8:16:8:20 | access to property Model : UserData |
| Controllers/TestController.cs:97:64:97:64 | x : UserData | Controllers/TestController.cs:97:93:97:93 | access to parameter x : UserData |
| Controllers/TestController.cs:97:93:97:93 | access to parameter x : UserData | Views/Shared/Test14.cshtml:8:16:8:20 | access to property Model : UserData |
| Controllers/TestController.cs:106:42:106:50 | tainted15 : UserData | Controllers/TestController.cs:108:21:108:29 | access to parameter tainted15 : UserData |
| Controllers/TestController.cs:108:21:108:29 | access to parameter tainted15 : UserData | Views/Custom/Test3/Test15.cshtml:8:16:8:20 | access to property Model : UserData |
| Controllers/TestController.cs:111:42:111:50 | tainted16 : UserData | Controllers/TestController.cs:113:31:113:39 | access to parameter tainted16 : UserData |
| Controllers/TestController.cs:113:31:113:39 | access to parameter tainted16 : UserData | Views/Custom2/Test16.cshtml:8:16:8:20 | access to property Model : UserData |
| Controllers/TestController.cs:119:42:119:50 | tainted17 : UserData | Controllers/TestController.cs:121:31:121:39 | access to parameter tainted17 : UserData |
| Controllers/TestController.cs:121:31:121:39 | access to parameter tainted17 : UserData | Areas/TestArea/Views/Test4/Test17.cshtml:8:16:8:20 | access to property Model : UserData |
| Controllers/TestController.cs:124:42:124:50 | tainted18 : UserData | Controllers/TestController.cs:126:31:126:39 | access to parameter tainted18 : UserData |
| Controllers/TestController.cs:126:31:126:39 | access to parameter tainted18 : UserData | Areas/TestArea/Views/Shared/Test18.cshtml:8:16:8:20 | access to property Model : UserData |
| Controllers/TestController.cs:129:42:129:50 | tainted19 : UserData | Controllers/TestController.cs:131:31:131:39 | access to parameter tainted19 : UserData |
| Controllers/TestController.cs:131:31:131:39 | access to parameter tainted19 : UserData | Views/Shared/Test19.cshtml:8:16:8:20 | access to property Model : UserData |
| Controllers/TestController.cs:134:42:134:50 | tainted20 : UserData | Controllers/TestController.cs:136:31:136:39 | access to parameter tainted20 : UserData |
| Controllers/TestController.cs:136:31:136:39 | access to parameter tainted20 : UserData | Views/Test4/Test20.cshtml:8:16:8:20 | access to property Model : UserData |
| Controllers/TestController.cs:107:42:107:50 | tainted15 : UserData | Controllers/TestController.cs:109:21:109:29 | access to parameter tainted15 : UserData |
| Controllers/TestController.cs:109:21:109:29 | access to parameter tainted15 : UserData | Views/Custom/Test3/Test15.cshtml:8:16:8:20 | access to property Model : UserData |
| Controllers/TestController.cs:112:42:112:50 | tainted16 : UserData | Controllers/TestController.cs:114:31:114:39 | access to parameter tainted16 : UserData |
| Controllers/TestController.cs:114:31:114:39 | access to parameter tainted16 : UserData | Views/Custom2/Test16.cshtml:8:16:8:20 | access to property Model : UserData |
| Controllers/TestController.cs:120:42:120:50 | tainted17 : UserData | Controllers/TestController.cs:122:31:122:39 | access to parameter tainted17 : UserData |
| Controllers/TestController.cs:122:31:122:39 | access to parameter tainted17 : UserData | Areas/TestArea/Views/Test4/Test17.cshtml:8:16:8:20 | access to property Model : UserData |
| Controllers/TestController.cs:125:42:125:50 | tainted18 : UserData | Controllers/TestController.cs:127:31:127:39 | access to parameter tainted18 : UserData |
| Controllers/TestController.cs:127:31:127:39 | access to parameter tainted18 : UserData | Areas/TestArea/Views/Shared/Test18.cshtml:8:16:8:20 | access to property Model : UserData |
| Controllers/TestController.cs:130:42:130:50 | tainted19 : UserData | Controllers/TestController.cs:132:31:132:39 | access to parameter tainted19 : UserData |
| Controllers/TestController.cs:132:31:132:39 | access to parameter tainted19 : UserData | Views/Shared/Test19.cshtml:8:16:8:20 | access to property Model : UserData |
| Controllers/TestController.cs:140:42:140:50 | tainted21 : UserData | Controllers/TestController.cs:142:31:142:39 | access to parameter tainted21 : UserData |
| Controllers/TestController.cs:142:31:142:39 | access to parameter tainted21 : UserData | Pages/Shared/Test21.cshtml:8:16:8:20 | access to property Model : UserData |
| Pages/Shared/Test21.cshtml:8:16:8:20 | access to property Model : UserData | Pages/Shared/Test21.cshtml:8:16:8:25 | access to property Name |
| Views/Custom2/Test16.cshtml:8:16:8:20 | access to property Model : UserData | Views/Custom2/Test16.cshtml:8:16:8:25 | access to property Name |
| Views/Custom/Test3/Test15.cshtml:8:16:8:20 | access to property Model : UserData | Views/Custom/Test3/Test15.cshtml:8:16:8:25 | access to property Name |
| Views/Other/Test5.cshtml:8:16:8:20 | access to property Model : UserData | Views/Other/Test5.cshtml:8:16:8:25 | access to property Name |
@@ -57,7 +58,6 @@ edges
| Views/Shared/Test19.cshtml:8:16:8:20 | access to property Model : UserData | Views/Shared/Test19.cshtml:8:16:8:25 | access to property Name |
| Views/Test2/Test10.cshtml:8:16:8:20 | access to property Model : UserData | Views/Test2/Test10.cshtml:8:16:8:25 | access to property Name |
| Views/Test2/Test11.cshtml:8:16:8:20 | access to property Model : UserData | Views/Test2/Test11.cshtml:8:16:8:25 | access to property Name |
| Views/Test4/Test20.cshtml:8:16:8:20 | access to property Model : UserData | Views/Test4/Test20.cshtml:8:16:8:25 | access to property Name |
| Views/Test/Test1.cshtml:8:16:8:20 | access to property Model : UserData | Views/Test/Test1.cshtml:8:16:8:25 | access to property Name |
| Views/Test/Test3.cshtml:8:16:8:20 | access to property Model : UserData | Views/Test/Test3.cshtml:8:16:8:25 | access to property Name |
| Views/Test/Test4.cshtml:8:16:8:20 | access to property Model : UserData | Views/Test/Test4.cshtml:8:16:8:25 | access to property Name |
@@ -99,18 +99,20 @@ nodes
| Controllers/TestController.cs:95:113:95:113 | access to parameter x : UserData | semmle.label | access to parameter x : UserData |
| Controllers/TestController.cs:97:64:97:64 | x : UserData | semmle.label | x : UserData |
| Controllers/TestController.cs:97:93:97:93 | access to parameter x : UserData | semmle.label | access to parameter x : UserData |
| Controllers/TestController.cs:106:42:106:50 | tainted15 : UserData | semmle.label | tainted15 : UserData |
| Controllers/TestController.cs:108:21:108:29 | access to parameter tainted15 : UserData | semmle.label | access to parameter tainted15 : UserData |
| Controllers/TestController.cs:111:42:111:50 | tainted16 : UserData | semmle.label | tainted16 : UserData |
| Controllers/TestController.cs:113:31:113:39 | access to parameter tainted16 : UserData | semmle.label | access to parameter tainted16 : UserData |
| Controllers/TestController.cs:119:42:119:50 | tainted17 : UserData | semmle.label | tainted17 : UserData |
| Controllers/TestController.cs:121:31:121:39 | access to parameter tainted17 : UserData | semmle.label | access to parameter tainted17 : UserData |
| Controllers/TestController.cs:124:42:124:50 | tainted18 : UserData | semmle.label | tainted18 : UserData |
| Controllers/TestController.cs:126:31:126:39 | access to parameter tainted18 : UserData | semmle.label | access to parameter tainted18 : UserData |
| Controllers/TestController.cs:129:42:129:50 | tainted19 : UserData | semmle.label | tainted19 : UserData |
| Controllers/TestController.cs:131:31:131:39 | access to parameter tainted19 : UserData | semmle.label | access to parameter tainted19 : UserData |
| Controllers/TestController.cs:134:42:134:50 | tainted20 : UserData | semmle.label | tainted20 : UserData |
| Controllers/TestController.cs:136:31:136:39 | access to parameter tainted20 : UserData | semmle.label | access to parameter tainted20 : UserData |
| Controllers/TestController.cs:107:42:107:50 | tainted15 : UserData | semmle.label | tainted15 : UserData |
| Controllers/TestController.cs:109:21:109:29 | access to parameter tainted15 : UserData | semmle.label | access to parameter tainted15 : UserData |
| Controllers/TestController.cs:112:42:112:50 | tainted16 : UserData | semmle.label | tainted16 : UserData |
| Controllers/TestController.cs:114:31:114:39 | access to parameter tainted16 : UserData | semmle.label | access to parameter tainted16 : UserData |
| Controllers/TestController.cs:120:42:120:50 | tainted17 : UserData | semmle.label | tainted17 : UserData |
| Controllers/TestController.cs:122:31:122:39 | access to parameter tainted17 : UserData | semmle.label | access to parameter tainted17 : UserData |
| Controllers/TestController.cs:125:42:125:50 | tainted18 : UserData | semmle.label | tainted18 : UserData |
| Controllers/TestController.cs:127:31:127:39 | access to parameter tainted18 : UserData | semmle.label | access to parameter tainted18 : UserData |
| Controllers/TestController.cs:130:42:130:50 | tainted19 : UserData | semmle.label | tainted19 : UserData |
| Controllers/TestController.cs:132:31:132:39 | access to parameter tainted19 : UserData | semmle.label | access to parameter tainted19 : UserData |
| Controllers/TestController.cs:140:42:140:50 | tainted21 : UserData | semmle.label | tainted21 : UserData |
| Controllers/TestController.cs:142:31:142:39 | access to parameter tainted21 : UserData | semmle.label | access to parameter tainted21 : UserData |
| Pages/Shared/Test21.cshtml:8:16:8:20 | access to property Model : UserData | semmle.label | access to property Model : UserData |
| Pages/Shared/Test21.cshtml:8:16:8:25 | access to property Name | semmle.label | access to property Name |
| Views/Custom2/Test16.cshtml:8:16:8:20 | access to property Model : UserData | semmle.label | access to property Model : UserData |
| Views/Custom2/Test16.cshtml:8:16:8:25 | access to property Name | semmle.label | access to property Name |
| Views/Custom/Test3/Test15.cshtml:8:16:8:20 | access to property Model : UserData | semmle.label | access to property Model : UserData |
@@ -135,8 +137,6 @@ nodes
| Views/Test2/Test10.cshtml:8:16:8:25 | access to property Name | semmle.label | access to property Name |
| Views/Test2/Test11.cshtml:8:16:8:20 | access to property Model : UserData | semmle.label | access to property Model : UserData |
| Views/Test2/Test11.cshtml:8:16:8:25 | access to property Name | semmle.label | access to property Name |
| Views/Test4/Test20.cshtml:8:16:8:20 | access to property Model : UserData | semmle.label | access to property Model : UserData |
| Views/Test4/Test20.cshtml:8:16:8:25 | access to property Name | semmle.label | access to property Name |
| Views/Test/Test1.cshtml:8:16:8:20 | access to property Model : UserData | semmle.label | access to property Model : UserData |
| Views/Test/Test1.cshtml:8:16:8:25 | access to property Name | semmle.label | access to property Name |
| Views/Test/Test3.cshtml:8:16:8:20 | access to property Model : UserData | semmle.label | access to property Model : UserData |
@@ -147,10 +147,11 @@ nodes
| Views/Test/Test7.cshtml:8:16:8:25 | access to property Name | semmle.label | access to property Name |
subpaths
#select
| Areas/TestArea/Views/Shared/Test18.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:124:42:124:50 | tainted18 : UserData | Areas/TestArea/Views/Shared/Test18.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:124:42:124:50 | tainted18 : UserData | User-provided value |
| Areas/TestArea/Views/Test4/Test17.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:119:42:119:50 | tainted17 : UserData | Areas/TestArea/Views/Test4/Test17.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:119:42:119:50 | tainted17 : UserData | User-provided value |
| Views/Custom2/Test16.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:111:42:111:50 | tainted16 : UserData | Views/Custom2/Test16.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:111:42:111:50 | tainted16 : UserData | User-provided value |
| Views/Custom/Test3/Test15.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:106:42:106:50 | tainted15 : UserData | Views/Custom/Test3/Test15.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:106:42:106:50 | tainted15 : UserData | User-provided value |
| Areas/TestArea/Views/Shared/Test18.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:125:42:125:50 | tainted18 : UserData | Areas/TestArea/Views/Shared/Test18.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:125:42:125:50 | tainted18 : UserData | User-provided value |
| Areas/TestArea/Views/Test4/Test17.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:120:42:120:50 | tainted17 : UserData | Areas/TestArea/Views/Test4/Test17.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:120:42:120:50 | tainted17 : UserData | User-provided value |
| Pages/Shared/Test21.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:140:42:140:50 | tainted21 : UserData | Pages/Shared/Test21.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:140:42:140:50 | tainted21 : UserData | User-provided value |
| Views/Custom2/Test16.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:112:42:112:50 | tainted16 : UserData | Views/Custom2/Test16.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:112:42:112:50 | tainted16 : UserData | User-provided value |
| Views/Custom/Test3/Test15.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:107:42:107:50 | tainted15 : UserData | Views/Custom/Test3/Test15.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:107:42:107:50 | tainted15 : UserData | User-provided value |
| Views/Other/Test5.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:34:41:34:48 | tainted5 : UserData | Views/Other/Test5.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:34:41:34:48 | tainted5 : UserData | User-provided value |
| Views/Other/Test6.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:39:41:39:48 | tainted6 : UserData | Views/Other/Test6.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:39:41:39:48 | tainted6 : UserData | User-provided value |
| Views/Other/Test8.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:49:41:49:48 | tainted8 : UserData | Views/Other/Test8.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:49:41:49:48 | tainted8 : UserData | User-provided value |
@@ -158,10 +159,9 @@ subpaths
| Views/Other/Test13.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:82:42:82:50 | tainted13 : UserData | Views/Other/Test13.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:82:42:82:50 | tainted13 : UserData | User-provided value |
| Views/Shared/Test2.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:19:41:19:48 | tainted2 : UserData | Views/Shared/Test2.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:19:41:19:48 | tainted2 : UserData | User-provided value |
| Views/Shared/Test14.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:87:42:87:50 | tainted14 : UserData | Views/Shared/Test14.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:87:42:87:50 | tainted14 : UserData | User-provided value |
| Views/Shared/Test19.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:129:42:129:50 | tainted19 : UserData | Views/Shared/Test19.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:129:42:129:50 | tainted19 : UserData | User-provided value |
| Views/Shared/Test19.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:130:42:130:50 | tainted19 : UserData | Views/Shared/Test19.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:130:42:130:50 | tainted19 : UserData | User-provided value |
| Views/Test2/Test10.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:61:42:61:50 | tainted10 : UserData | Views/Test2/Test10.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:61:42:61:50 | tainted10 : UserData | User-provided value |
| Views/Test2/Test11.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:66:42:66:50 | tainted11 : UserData | Views/Test2/Test11.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:66:42:66:50 | tainted11 : UserData | User-provided value |
| Views/Test4/Test20.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:134:42:134:50 | tainted20 : UserData | Views/Test4/Test20.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:134:42:134:50 | tainted20 : UserData | User-provided value |
| Views/Test/Test1.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:14:41:14:48 | tainted1 : UserData | Views/Test/Test1.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:14:41:14:48 | tainted1 : UserData | User-provided value |
| Views/Test/Test3.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:24:41:24:48 | tainted3 : UserData | Views/Test/Test3.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:24:41:24:48 | tainted3 : UserData | User-provided value |
| Views/Test/Test4.cshtml:8:16:8:25 | access to property Name | Controllers/TestController.cs:29:41:29:48 | tainted4 : UserData | Views/Test/Test4.cshtml:8:16:8:25 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:29:41:29:48 | tainted4 : UserData | User-provided value |