Fix standalone tests

2025-12-24 04:36:35 +01:00 · 2023-11-15 17:07:47 +00:00
parent 33186ac797
commit aa3fd6add0
7 changed files with 41 additions and 7 deletions
--- a/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/Views/Test/Test.cshtml
+++ b/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/Views/Test/Test.cshtml
@@ -1,7 +1,6 @@
-@namespace test
+@page
+
@model UserData
-@{
-}

@if (Model != null)
 {
--- a/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/Views/_ViewImports.cshtml
+++ b/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/Views/_ViewImports.cshtml
@@ -0,0 +1,3 @@
+@using test
+
+@addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers
--- a/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/XSS.expected
+++ b/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/XSS.expected
@@ -0,0 +1 @@
+| Views/Test/Test.cshtml:7:27:7:36 | access to property Name | Controllers/TestController.cs:13:40:13:47 | tainted1 : UserData | Views/Test/Test.cshtml:7:27:7:36 | access to property Name | $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. | Controllers/TestController.cs:13:40:13:47 | tainted1 : UserData | User-provided value |
--- a/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/XSS.ql
+++ b/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/XSS.ql
@@ -0,0 +1,21 @@
+/**
+ * @name Cross-site scripting
+ * @description Writing user input directly to a web page
+ *              allows for a cross-site scripting vulnerability.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 6.1
+ * @precision high
+ * @id cs/web/xss
+ * @tags security
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ */
+
+import csharp
+import semmle.code.csharp.security.dataflow.XSSQuery
+
+// import PathGraph // exclude query predicates with output dependant on the absolute filepath the tests are run in
+from XssNode source, XssNode sink, string message
+where xssFlow(source, sink, message)
+select sink, source, sink, "$@ flows to here and " + message, source, "User-provided value"
--- a/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/XSS.qlref
+++ b/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/XSS.qlref
@@ -1 +0,0 @@
-Security Features/CWE-079/XSS.ql
--- a/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/cshtml.csproj
+++ b/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/cshtml.csproj
@@ -0,0 +1,9 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>net7.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+  </PropertyGroup>
+
+</Project>
--- a/csharp/ql/lib/semmle/code/csharp/frameworks/Razor.qll
+++ b/csharp/ql/lib/semmle/code/csharp/frameworks/Razor.qll
@@ -69,9 +69,11 @@ class RazorPageClass extends Class {
  AssemblyAttribute attr;

  RazorPageClass() {
-    this.getBaseClass()
-        .getUnboundDeclaration()
-        .hasQualifiedName("Microsoft.AspNetCore.Mvc.Razor", "RazorPage<>") and
+    exists(Class baseClass | baseClass = this.getBaseClass().getUnboundDeclaration() |
+      baseClass.hasQualifiedName("Microsoft.AspNetCore.Mvc.Razor", "RazorPage<>")
+      or
+      baseClass.hasQualifiedName("Microsoft.AspNetCore.Mvc.RazorPages", "Page")
+    ) and
    attr.getFile() = this.getFile() and
    attr.getType()
        .hasQualifiedName("Microsoft.AspNetCore.Razor.Hosting", "RazorCompiledItemAttribute")
				`@@ -0,0 +1 @@`
				`\| Views/Test/Test.cshtml:7:27:7:36 \| access to property Name \| Controllers/TestController.cs:13:40:13:47 \| tainted1 : UserData \| Views/Test/Test.cshtml:7:27:7:36 \| access to property Name \| $@ flows to here and is written to HTML or JavaScript: Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method. \| Controllers/TestController.cs:13:40:13:47 \| tainted1 : UserData \| User-provided value \|`