From d590687904c15c3793da65a909697d87fe8dd76d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 11 Jun 2026 21:25:03 +0000 Subject: [PATCH] Convert C# qlref tests to inline expectations --- .../BlazorTest/Components/MyOutput.razor | 2 +- .../Components/Pages/TestPage.razor | 6 ++-- .../all-platforms/blazor/XSS.qlref | 4 ++- .../BlazorTest/Components/MyOutput.razor | 2 +- .../Components/Pages/TestPage.razor | 6 ++-- .../blazor_build_mode_none/XSS.qlref | 4 ++- .../BlazorTest/Components/MyOutput.razor | 2 +- .../Components/Pages/TestPage.razor | 6 ++-- .../all-platforms/blazor_net_8/XSS.qlref | 4 ++- .../Components_Pages_TestPage_razor.g.cs | 4 +-- .../microsoft/aspnetcore/blazor/Name.cs | 4 +-- .../microsoft/aspnetcore/blazor/NameList.cs | 4 +-- .../microsoft/aspnetcore/blazor/NameList2.cs | 4 +-- .../microsoft/aspnetcore/blazor/Xss.qlref | 4 ++- .../BlockCodeResponseWrite.qlref | 1 + .../BlockCodeResponseWriteBad.aspx | 2 +- .../ASP/BlockCodeResponseWrite/test.aspx | 2 +- .../ComplexInlineCode/ComplexInlineCode.qlref | 1 + .../ComplexInlineCodeBad.aspx | 2 +- .../ASP/ComplexInlineCode/test.aspx | 2 +- .../NonInternationalizedText.qlref | 1 + .../NonInternationalizedTextBad.aspx | 2 +- .../ASP/NonInternationalizedText/test.aspx | 2 +- .../SplitControlStructure.qlref | 1 + .../SplitControlStructureBad.aspx | 2 +- .../ASP/SplitControlStructure/test.aspx | 2 +- .../EmptyPasswordInConfigurationFile.qlref | 1 + .../PasswordInConfigurationFile.qlref | 1 + .../PasswordInConfigurationFile/config.xml | 16 ++++----- .../CWE-011/ASPNetDebug.qlref | 1 + .../Security Features/CWE-011/bad1/Web.config | 2 +- .../Security Features/CWE-011/bad2/Web.config | 2 +- .../ASPNetMaxRequestLength.qlref | 1 + .../ASPNetMaxRequestLength/bad/Web.config | 4 +-- .../ASPNetPagesValidateRequest.qlref | 1 + .../ASPNetPagesValidateRequestBad.config | 4 +-- .../ASPNetRequestValidationMode.qlref | 1 + .../ASPNetRequestValidationModeBad.config | 2 +- .../CWE-020/UntrustedData.cs | 4 +-- .../CWE-020/UntrustedDataToExternalAPI.qlref | 4 ++- .../CWE-022/TaintedPath/TaintedPath.cs | 16 ++++----- .../CWE-022/TaintedPath/TaintedPath.qlref | 4 ++- .../CWE-022/ZipSlip/ZipSlip.cs | 22 ++++++------ .../CWE-022/ZipSlip/ZipSlip.qlref | 4 ++- .../CWE-022/ZipSlip/ZipSlipBad.cs | 4 +-- .../CWE-078/CommandInjection.cs | 16 ++++----- .../CWE-078/CommandInjection.qlref | 4 ++- .../CWE-079/StoredXSS/StoredXSS.cs | 4 +-- .../CWE-079/StoredXSS/StoredXSS.qlref | 4 ++- .../Security Features/CWE-079/XSSAsp/XSS.cs | 36 +++++++++---------- .../CWE-079/XSSAsp/XSS.qlref | 4 ++- .../CWE-079/XSSAsp/script.aspx | 6 ++-- .../CWE-079/XSSRazorPages/XSS.qlref | 1 + .../CWE-090/LDAPInjection.cs | 18 +++++----- .../CWE-090/LDAPInjection.qlref | 4 ++- .../CWE-091/XMLInjection/Test.cs | 4 +-- .../CWE-091/XMLInjection/XMLInjection.qlref | 4 ++- .../CWE-094/CodeInjection.cs | 8 ++--- .../CWE-094/CodeInjection.qlref | 4 ++- .../CWE-099/ResourceInjection.cs | 6 ++-- .../CWE-099/ResourceInjection.qlref | 4 ++- .../CWE-112/MissingXMLValidation.cs | 10 +++--- .../CWE-112/MissingXMLValidation.qlref | 4 ++- .../AssemblyPathInjection.qlref | 4 ++- .../CWE-114/AssemblyPathInjection/Test.cs | 4 +-- .../ExposureInTransmittedData.cs | 18 +++++----- .../ExposureInTransmittedData.qlref | 4 ++- .../CWE-209/ExceptionInformationExposure.cs | 14 ++++---- .../ExceptionInformationExposure.qlref | 4 ++- .../MissingASPNETGlobalErrorHandler.qlref | 1 + .../WebConfigOff/Web.config | 2 +- .../HardcodedSymmetricEncryptionKey.cs | 16 ++++----- .../HardcodedSymmetricEncryptionKey.qlref | 4 ++- .../CWE-338/InsecureRandomness.cs | 14 ++++---- .../CWE-338/InsecureRandomness.qlref | 4 ++- .../MissingAntiForgeryTokenValidation.cs | 4 +-- .../MissingAntiForgeryTokenValidation.qlref | 1 + .../NoHeader/MissingXFrameOptions.qlref | 1 + .../MissingXFrameOptions/NoHeader/Web.config | 2 +- .../CWE-548/ASPNetDirectoryListing.qlref | 1 + .../Security Features/CWE-548/web.config | 2 +- .../CWE-601/UrlRedirect/UrlRedirect.cs | 16 ++++----- .../CWE-601/UrlRedirect/UrlRedirect.qlref | 4 ++- .../CWE-601/UrlRedirect/UrlRedirect2.cs | 2 +- .../CWE-601/UrlRedirect/UrlRedirectCore.cs | 24 ++++++------- .../Security Features/CWE-611/Test.cs | 6 ++-- .../CWE-611/UntrustedDataInsecureXml.qlref | 4 ++- .../CWE-611/UseXmlSecureResolver.qlref | 4 ++- .../HttpCookiesCorrect/RequireSSL.qlref | 1 + .../RequireSSL/HttpCookiesCorrect/Web.config | 2 +- .../RequireSSLMissing/RequireSSL.qlref | 1 + .../RequireSSL/RequireSSLMissing/Web.config | 4 +-- .../CWE-643/XPathInjection.cs | 24 ++++++------- .../CWE-643/XPathInjection.qlref | 4 ++- .../CWE-730/ReDoS/ExponentialRegex.cs | 12 +++---- .../CWE-730/ReDoS/ReDoS.qlref | 4 ++- .../CWE-730/ReDoSGlobalTimeout/ReDoS.qlref | 4 ++- .../CWE-730/RegexInjection/RegexInjection.cs | 4 +-- .../RegexInjection/RegexInjection.qlref | 4 ++- .../CWE-807/ConditionalBypass.cs | 24 ++++++------- .../CWE-807/ConditionalBypass.qlref | 4 ++- .../Security Features/CWE-838/HtmlEncode.cs | 2 +- .../CWE-838/InappropriateEncoding.cs | 24 ++++++------- .../CWE-838/InappropriateEncoding.qlref | 4 ++- .../Security Features/CWE-838/SqlEncode.cs | 4 +-- .../Security Features/CWE-838/UrlEncode.cs | 2 +- 106 files changed, 337 insertions(+), 262 deletions(-) diff --git a/csharp/ql/integration-tests/all-platforms/blazor/BlazorTest/Components/MyOutput.razor b/csharp/ql/integration-tests/all-platforms/blazor/BlazorTest/Components/MyOutput.razor index e583e6b2e9c..5476d75ccf9 100644 --- a/csharp/ql/integration-tests/all-platforms/blazor/BlazorTest/Components/MyOutput.razor +++ b/csharp/ql/integration-tests/all-platforms/blazor/BlazorTest/Components/MyOutput.razor @@ -2,7 +2,7 @@

Value from InputText: @Value

-

Raw value from InputText: @(new MarkupString(Value))

+

Raw value from InputText: @(new MarkupString(Value))

@* $ Alert[cs/web/xss]=r1 *@
@code { diff --git a/csharp/ql/integration-tests/all-platforms/blazor/BlazorTest/Components/Pages/TestPage.razor b/csharp/ql/integration-tests/all-platforms/blazor/BlazorTest/Components/Pages/TestPage.razor index ac3ccbe1920..7a7a02ec222 100644 --- a/csharp/ql/integration-tests/all-platforms/blazor/BlazorTest/Components/Pages/TestPage.razor +++ b/csharp/ql/integration-tests/all-platforms/blazor/BlazorTest/Components/Pages/TestPage.razor @@ -8,7 +8,7 @@

Route parameter

Go to: /test/@XssUrl

Parameter from URL: @UrlParam

-

Raw parameter from URL: @((MarkupString)UrlParam)

+

Raw parameter from URL: @((MarkupString)UrlParam)

@* $ Alert[cs/web/xss]=r2 $ Alert[cs/web/xss]=r2 *@
@@ -17,7 +17,7 @@

Query parameter

Go to: /test/?qs=@XssUrl

Parameter from query string: @QueryParam

-

Raw parameter from query string: @(new MarkupString(QueryParam))

+

Raw parameter from query string: @(new MarkupString(QueryParam))

@* $ Alert[cs/web/xss]=r3 $ Alert[cs/web/xss]=r3 *@
@@ -82,7 +82,7 @@
- + @* $ Source[cs/web/xss]=r1 *@
@code { diff --git a/csharp/ql/integration-tests/all-platforms/blazor/XSS.qlref b/csharp/ql/integration-tests/all-platforms/blazor/XSS.qlref index 89b5b951bdb..a71d4784670 100644 --- a/csharp/ql/integration-tests/all-platforms/blazor/XSS.qlref +++ b/csharp/ql/integration-tests/all-platforms/blazor/XSS.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-079/XSS.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/BlazorTest/Components/MyOutput.razor b/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/BlazorTest/Components/MyOutput.razor index e583e6b2e9c..5476d75ccf9 100644 --- a/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/BlazorTest/Components/MyOutput.razor +++ b/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/BlazorTest/Components/MyOutput.razor @@ -2,7 +2,7 @@

Value from InputText: @Value

-

Raw value from InputText: @(new MarkupString(Value))

+

Raw value from InputText: @(new MarkupString(Value))

@* $ Alert[cs/web/xss]=r1 *@
@code { diff --git a/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/BlazorTest/Components/Pages/TestPage.razor b/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/BlazorTest/Components/Pages/TestPage.razor index ac3ccbe1920..7a7a02ec222 100644 --- a/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/BlazorTest/Components/Pages/TestPage.razor +++ b/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/BlazorTest/Components/Pages/TestPage.razor @@ -8,7 +8,7 @@

Route parameter

Go to: /test/@XssUrl

Parameter from URL: @UrlParam

-

Raw parameter from URL: @((MarkupString)UrlParam)

+

Raw parameter from URL: @((MarkupString)UrlParam)

@* $ Alert[cs/web/xss]=r2 $ Alert[cs/web/xss]=r2 *@
@@ -17,7 +17,7 @@

Query parameter

Go to: /test/?qs=@XssUrl

Parameter from query string: @QueryParam

-

Raw parameter from query string: @(new MarkupString(QueryParam))

+

Raw parameter from query string: @(new MarkupString(QueryParam))

@* $ Alert[cs/web/xss]=r3 $ Alert[cs/web/xss]=r3 *@
@@ -82,7 +82,7 @@
- + @* $ Source[cs/web/xss]=r1 *@
@code { diff --git a/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/XSS.qlref b/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/XSS.qlref index 89b5b951bdb..a71d4784670 100644 --- a/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/XSS.qlref +++ b/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/XSS.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-079/XSS.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/integration-tests/all-platforms/blazor_net_8/BlazorTest/Components/MyOutput.razor b/csharp/ql/integration-tests/all-platforms/blazor_net_8/BlazorTest/Components/MyOutput.razor index e583e6b2e9c..5476d75ccf9 100644 --- a/csharp/ql/integration-tests/all-platforms/blazor_net_8/BlazorTest/Components/MyOutput.razor +++ b/csharp/ql/integration-tests/all-platforms/blazor_net_8/BlazorTest/Components/MyOutput.razor @@ -2,7 +2,7 @@

Value from InputText: @Value

-

Raw value from InputText: @(new MarkupString(Value))

+

Raw value from InputText: @(new MarkupString(Value))

@* $ Alert[cs/web/xss]=r1 *@
@code { diff --git a/csharp/ql/integration-tests/all-platforms/blazor_net_8/BlazorTest/Components/Pages/TestPage.razor b/csharp/ql/integration-tests/all-platforms/blazor_net_8/BlazorTest/Components/Pages/TestPage.razor index ac3ccbe1920..7a7a02ec222 100644 --- a/csharp/ql/integration-tests/all-platforms/blazor_net_8/BlazorTest/Components/Pages/TestPage.razor +++ b/csharp/ql/integration-tests/all-platforms/blazor_net_8/BlazorTest/Components/Pages/TestPage.razor @@ -8,7 +8,7 @@

Route parameter

Go to: /test/@XssUrl

Parameter from URL: @UrlParam

-

Raw parameter from URL: @((MarkupString)UrlParam)

+

Raw parameter from URL: @((MarkupString)UrlParam)

@* $ Alert[cs/web/xss]=r2 $ Alert[cs/web/xss]=r2 *@
@@ -17,7 +17,7 @@

Query parameter

Go to: /test/?qs=@XssUrl

Parameter from query string: @QueryParam

-

Raw parameter from query string: @(new MarkupString(QueryParam))

+

Raw parameter from query string: @(new MarkupString(QueryParam))

@* $ Alert[cs/web/xss]=r3 $ Alert[cs/web/xss]=r3 *@
@@ -82,7 +82,7 @@
- + @* $ Source[cs/web/xss]=r1 *@
@code { diff --git a/csharp/ql/integration-tests/all-platforms/blazor_net_8/XSS.qlref b/csharp/ql/integration-tests/all-platforms/blazor_net_8/XSS.qlref index 89b5b951bdb..a71d4784670 100644 --- a/csharp/ql/integration-tests/all-platforms/blazor_net_8/XSS.qlref +++ b/csharp/ql/integration-tests/all-platforms/blazor_net_8/XSS.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-079/XSS.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Components_Pages_TestPage_razor.g.cs b/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Components_Pages_TestPage_razor.g.cs index 8732f8c7e4b..372ee49242f 100644 --- a/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Components_Pages_TestPage_razor.g.cs +++ b/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Components_Pages_TestPage_razor.g.cs @@ -135,7 +135,7 @@ UrlParam __builder.AddContent(18, "Raw parameter from URL: "); __builder.AddContent(19, #nullable restore -(MarkupString)UrlParam +(MarkupString)UrlParam // $ Alert[cs/web/xss]=r1 $ Alert[cs/web/xss]=r1 #line default #line hidden @@ -185,7 +185,7 @@ QueryParam __builder.AddContent(35, "Raw parameter from query string: "); __builder.AddContent(36, #nullable restore -new MarkupString(QueryParam) +new MarkupString(QueryParam) // $ Alert[cs/web/xss]=r2 $ Alert[cs/web/xss]=r2 #line default #line hidden diff --git a/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Name.cs b/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Name.cs index a9d098470e4..344f5cbf6ac 100644 --- a/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Name.cs +++ b/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Name.cs @@ -10,7 +10,7 @@ namespace VulnerableBlazorApp.Components { builder.OpenElement(0, "div"); builder.OpenElement(1, "p"); - builder.AddContent(2, (MarkupString)TheName); + builder.AddContent(2, (MarkupString)TheName); // $ Alert[cs/web/xss]=r3 $ Alert[cs/web/xss]=r4 builder.CloseElement(); builder.CloseElement(); } @@ -19,4 +19,4 @@ namespace VulnerableBlazorApp.Components [Parameter] public string TheName { get; set; } } -} \ No newline at end of file +} diff --git a/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/NameList.cs b/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/NameList.cs index ceffb35303e..31126310dff 100644 --- a/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/NameList.cs +++ b/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/NameList.cs @@ -28,7 +28,7 @@ namespace VulnerableBlazorApp.Components builder.OpenElement(6, "p"); builder.AddContent(7, "Name: "); builder.OpenComponent(8); - builder.AddComponentParameter(9, nameof(VulnerableBlazorApp.Components.Name.TheName), Name); + builder.AddComponentParameter(9, nameof(VulnerableBlazorApp.Components.Name.TheName), Name); // $ Source[cs/web/xss]=r4 builder.CloseComponent(); builder.CloseElement(); } @@ -47,4 +47,4 @@ namespace VulnerableBlazorApp.Components public List Names { get; set; } = new List(); } -} \ No newline at end of file +} diff --git a/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/NameList2.cs b/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/NameList2.cs index d27d6f2dcde..fc6298943d3 100644 --- a/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/NameList2.cs +++ b/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/NameList2.cs @@ -28,7 +28,7 @@ namespace VulnerableBlazorApp.Components builder.OpenElement(6, "p"); builder.AddContent(7, "Name: "); builder.OpenComponent(8); - builder.AddComponentParameter(9, "TheName", Name); + builder.AddComponentParameter(9, "TheName", Name); // $ Source[cs/web/xss]=r3 builder.CloseComponent(); builder.CloseElement(); } @@ -47,4 +47,4 @@ namespace VulnerableBlazorApp.Components public List Names { get; set; } = new List(); } -} \ No newline at end of file +} diff --git a/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Xss.qlref b/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Xss.qlref index 89b5b951bdb..a71d4784670 100644 --- a/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Xss.qlref +++ b/csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Xss.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-079/XSS.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/BlockCodeResponseWrite.qlref b/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/BlockCodeResponseWrite.qlref index b0835a02ad7..35d5389b718 100644 --- a/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/BlockCodeResponseWrite.qlref +++ b/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/BlockCodeResponseWrite.qlref @@ -1 +1,2 @@ query: ASP/BlockCodeResponseWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/BlockCodeResponseWriteBad.aspx b/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/BlockCodeResponseWriteBad.aspx index 1e4a0fffc01..ebf2cadc8b3 100644 --- a/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/BlockCodeResponseWriteBad.aspx +++ b/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/BlockCodeResponseWriteBad.aspx @@ -2,6 +2,6 @@ -

2 + 3 = <%Response.Write(2 + 3)%>

+

2 + 3 = <%Response.Write(2 + 3)%>

<%-- $ Alert[cs/asp/response-write] --%> diff --git a/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/test.aspx b/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/test.aspx index 1e4a0fffc01..ebf2cadc8b3 100644 --- a/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/test.aspx +++ b/csharp/ql/test/query-tests/ASP/BlockCodeResponseWrite/test.aspx @@ -2,6 +2,6 @@ -

2 + 3 = <%Response.Write(2 + 3)%>

+

2 + 3 = <%Response.Write(2 + 3)%>

<%-- $ Alert[cs/asp/response-write] --%> diff --git a/csharp/ql/test/query-tests/ASP/ComplexInlineCode/ComplexInlineCode.qlref b/csharp/ql/test/query-tests/ASP/ComplexInlineCode/ComplexInlineCode.qlref index 90a69bb4a3b..9a5bdd6c37e 100644 --- a/csharp/ql/test/query-tests/ASP/ComplexInlineCode/ComplexInlineCode.qlref +++ b/csharp/ql/test/query-tests/ASP/ComplexInlineCode/ComplexInlineCode.qlref @@ -1 +1,2 @@ query: ASP/ComplexInlineCode.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/ASP/ComplexInlineCode/ComplexInlineCodeBad.aspx b/csharp/ql/test/query-tests/ASP/ComplexInlineCode/ComplexInlineCodeBad.aspx index f4457d89606..b8e0a25ac2c 100644 --- a/csharp/ql/test/query-tests/ASP/ComplexInlineCode/ComplexInlineCodeBad.aspx +++ b/csharp/ql/test/query-tests/ASP/ComplexInlineCode/ComplexInlineCodeBad.aspx @@ -15,6 +15,6 @@ } else { ec.Emit (Response, OpCodes.Ldloca, builder); } -%> +%> <%-- $ Alert[cs/asp/complex-inline-code] --%> diff --git a/csharp/ql/test/query-tests/ASP/ComplexInlineCode/test.aspx b/csharp/ql/test/query-tests/ASP/ComplexInlineCode/test.aspx index 1c2d09586ab..39055702e35 100644 --- a/csharp/ql/test/query-tests/ASP/ComplexInlineCode/test.aspx +++ b/csharp/ql/test/query-tests/ASP/ComplexInlineCode/test.aspx @@ -9,7 +9,7 @@ Response.write(3 + 2); } End If -%>

+%>

<%-- $ Alert[cs/asp/complex-inline-code] --%>

2 + 3 = <%=2 + 3%>

diff --git a/csharp/ql/test/query-tests/ASP/NonInternationalizedText/NonInternationalizedText.qlref b/csharp/ql/test/query-tests/ASP/NonInternationalizedText/NonInternationalizedText.qlref index ac1b3e989b4..0ca3c026d73 100644 --- a/csharp/ql/test/query-tests/ASP/NonInternationalizedText/NonInternationalizedText.qlref +++ b/csharp/ql/test/query-tests/ASP/NonInternationalizedText/NonInternationalizedText.qlref @@ -1 +1,2 @@ query: ASP/NonInternationalizedText.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/ASP/NonInternationalizedText/NonInternationalizedTextBad.aspx b/csharp/ql/test/query-tests/ASP/NonInternationalizedText/NonInternationalizedTextBad.aspx index 2d5e7757d3a..935a9c19e0e 100644 --- a/csharp/ql/test/query-tests/ASP/NonInternationalizedText/NonInternationalizedTextBad.aspx +++ b/csharp/ql/test/query-tests/ASP/NonInternationalizedText/NonInternationalizedTextBad.aspx @@ -2,6 +2,6 @@ -

Amount: <%= Amount %>

+

Amount: <%= Amount %>

<%-- $ Alert[cs/asp/text-not-internationalized] --%> diff --git a/csharp/ql/test/query-tests/ASP/NonInternationalizedText/test.aspx b/csharp/ql/test/query-tests/ASP/NonInternationalizedText/test.aspx index 44b6ab46947..7027d6a07cb 100644 --- a/csharp/ql/test/query-tests/ASP/NonInternationalizedText/test.aspx +++ b/csharp/ql/test/query-tests/ASP/NonInternationalizedText/test.aspx @@ -2,6 +2,6 @@ -

This text is plain English.

+

This text is plain English.

<%-- $ Alert[cs/asp/text-not-internationalized] --%> diff --git a/csharp/ql/test/query-tests/ASP/SplitControlStructure/SplitControlStructure.qlref b/csharp/ql/test/query-tests/ASP/SplitControlStructure/SplitControlStructure.qlref index c02b4a97ae4..57c16f0abe6 100644 --- a/csharp/ql/test/query-tests/ASP/SplitControlStructure/SplitControlStructure.qlref +++ b/csharp/ql/test/query-tests/ASP/SplitControlStructure/SplitControlStructure.qlref @@ -1 +1,2 @@ query: ASP/SplitControlStructure.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/ASP/SplitControlStructure/SplitControlStructureBad.aspx b/csharp/ql/test/query-tests/ASP/SplitControlStructure/SplitControlStructureBad.aspx index 4ef3f00f3bf..870c3df8fd3 100644 --- a/csharp/ql/test/query-tests/ASP/SplitControlStructure/SplitControlStructureBad.aspx +++ b/csharp/ql/test/query-tests/ASP/SplitControlStructure/SplitControlStructureBad.aspx @@ -2,7 +2,7 @@ -<% If ShouldWarn() Then %> +<% If ShouldWarn() Then %> <%-- $ Alert[cs/asp/split-control-structure] --%>

WARNING: <%=warning()%>

<% End If %> diff --git a/csharp/ql/test/query-tests/ASP/SplitControlStructure/test.aspx b/csharp/ql/test/query-tests/ASP/SplitControlStructure/test.aspx index 8cd7245d0ca..69d889b570a 100644 --- a/csharp/ql/test/query-tests/ASP/SplitControlStructure/test.aspx +++ b/csharp/ql/test/query-tests/ASP/SplitControlStructure/test.aspx @@ -2,7 +2,7 @@ -<% If Something() Then %> +<% If Something() Then %> <%-- $ Alert[cs/asp/split-control-structure] --%>

2 + 3 = <%=2 + 3%>

<% End If %> diff --git a/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/EmptyPasswordInConfigurationFile.qlref b/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/EmptyPasswordInConfigurationFile.qlref index 94937ccf811..75899b3d5f2 100644 --- a/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/EmptyPasswordInConfigurationFile.qlref +++ b/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/EmptyPasswordInConfigurationFile.qlref @@ -1 +1,2 @@ query: Configuration/EmptyPasswordInConfigurationFile.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/PasswordInConfigurationFile.qlref b/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/PasswordInConfigurationFile.qlref index 0479b5098f3..9ae43388c25 100644 --- a/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/PasswordInConfigurationFile.qlref +++ b/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/PasswordInConfigurationFile.qlref @@ -1 +1,2 @@ query: Configuration/PasswordInConfigurationFile.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/config.xml b/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/config.xml index a72d5f8fa75..7a5f382236f 100644 --- a/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/config.xml +++ b/csharp/ql/test/query-tests/Configuration/PasswordInConfigurationFile/config.xml @@ -1,15 +1,15 @@ - - + + - - + + - - - - + + + + diff --git a/csharp/ql/test/query-tests/Security Features/CWE-011/ASPNetDebug.qlref b/csharp/ql/test/query-tests/Security Features/CWE-011/ASPNetDebug.qlref index f7d09f0bf5c..f197b183e75 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-011/ASPNetDebug.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-011/ASPNetDebug.qlref @@ -1 +1,2 @@ query: Security Features/CWE-011/ASPNetDebug.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-011/bad1/Web.config b/csharp/ql/test/query-tests/Security Features/CWE-011/bad1/Web.config index ffc04c240fa..c79a46e2c88 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-011/bad1/Web.config +++ b/csharp/ql/test/query-tests/Security Features/CWE-011/bad1/Web.config @@ -4,6 +4,6 @@ + /> diff --git a/csharp/ql/test/query-tests/Security Features/CWE-011/bad2/Web.config b/csharp/ql/test/query-tests/Security Features/CWE-011/bad2/Web.config index ffc04c240fa..c79a46e2c88 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-011/bad2/Web.config +++ b/csharp/ql/test/query-tests/Security Features/CWE-011/bad2/Web.config @@ -4,6 +4,6 @@ + /> diff --git a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetMaxRequestLength/ASPNetMaxRequestLength.qlref b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetMaxRequestLength/ASPNetMaxRequestLength.qlref index a2914c126c3..5c2fc1ad4f6 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetMaxRequestLength/ASPNetMaxRequestLength.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetMaxRequestLength/ASPNetMaxRequestLength.qlref @@ -1 +1,2 @@ query: Security Features/CWE-016/ASPNetMaxRequestLength.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetMaxRequestLength/bad/Web.config b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetMaxRequestLength/bad/Web.config index ea52bd2505b..a9e98986c4c 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetMaxRequestLength/bad/Web.config +++ b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetMaxRequestLength/bad/Web.config @@ -1,6 +1,6 @@ - + - \ No newline at end of file + diff --git a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequest.qlref b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequest.qlref index f2d275efd56..5eaf78b95be 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequest.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequest.qlref @@ -1 +1,2 @@ query: Security Features/CWE-016/ASPNetPagesValidateRequest.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequestBad.config b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequestBad.config index e8fbc48cb6e..927a73b39d0 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequestBad.config +++ b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequestBad.config @@ -1,5 +1,5 @@ - + - \ No newline at end of file + diff --git a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ASPNetRequestValidationMode.qlref b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ASPNetRequestValidationMode.qlref index e38b59c5c75..c057ae5aa6c 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ASPNetRequestValidationMode.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ASPNetRequestValidationMode.qlref @@ -1 +1,2 @@ query: Security Features/CWE-016/ASPNetRequestValidationMode.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ASPNetRequestValidationModeBad.config b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ASPNetRequestValidationModeBad.config index e2c8b8dc903..2a9be99dc51 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ASPNetRequestValidationModeBad.config +++ b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ASPNetRequestValidationModeBad.config @@ -1,5 +1,5 @@ - + diff --git a/csharp/ql/test/query-tests/Security Features/CWE-020/UntrustedData.cs b/csharp/ql/test/query-tests/Security Features/CWE-020/UntrustedData.cs index 7b0f789c2ae..997ecc4f5cd 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-020/UntrustedData.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-020/UntrustedData.cs @@ -6,11 +6,11 @@ public class UntrustedData : IHttpHandler { public void ProcessRequest(HttpContext ctx) { - var name = ctx.Request.QueryString["name"]; + var name = ctx.Request.QueryString["name"]; // $ Alert[cs/untrusted-data-to-external-api]=r1 $ Alert[cs/untrusted-data-to-external-api]=r1 $ Source[cs/untrusted-data-to-external-api]=r2 var len = name.Length; var myEncodedString = HttpUtility.HtmlEncode(name); - ctx.Response.Write(name); + ctx.Response.Write(name); // $ Alert[cs/untrusted-data-to-external-api]=r2 } public bool IsReusable => true; diff --git a/csharp/ql/test/query-tests/Security Features/CWE-020/UntrustedDataToExternalAPI.qlref b/csharp/ql/test/query-tests/Security Features/CWE-020/UntrustedDataToExternalAPI.qlref index 22d3fe2ef63..65b60310508 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-020/UntrustedDataToExternalAPI.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-020/UntrustedDataToExternalAPI.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-020/UntrustedDataToExternalAPI.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/TaintedPath.cs b/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/TaintedPath.cs index 3ea90facfd3..a22efa5e25f 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/TaintedPath.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/TaintedPath.cs @@ -7,14 +7,14 @@ public class TaintedPathHandler : IHttpHandler public void ProcessRequest(HttpContext ctx) { - String path = ctx.Request.QueryString["page"]; + String path = ctx.Request.QueryString["page"]; // $ Source[cs/path-injection]=r1 $ Source[cs/path-injection]=r2 $ Source[cs/path-injection]=r3 $ Source[cs/path-injection]=r4 $ Source[cs/path-injection]=r5 $ Source[cs/path-injection]=r6 $ Source[cs/path-injection]=r7 // BAD: Used via a File.Create... call. - using (StreamWriter sw = File.CreateText(path)) + using (StreamWriter sw = File.CreateText(path)) // $ Alert[cs/path-injection]=r1 { sw.WriteLine("Hello"); } // BAD: Used via StreamWriter constructor - using (StreamWriter sw = new StreamWriter(path)) + using (StreamWriter sw = new StreamWriter(path)) // $ Alert[cs/path-injection]=r2 { sw.WriteLine("Hello"); } @@ -22,20 +22,20 @@ public class TaintedPathHandler : IHttpHandler // BAD: Check is insufficient, text is read. if (!path.StartsWith("../")) { - File.ReadAllText(path); + File.ReadAllText(path); // $ Alert[cs/path-injection]=r3 } // BAD: Check is insufficient, text is read. if (!string.IsNullOrEmpty(path)) { - File.ReadAllText(path); + File.ReadAllText(path); // $ Alert[cs/path-injection]=r4 } // BAD: Check is insufficient, text is read. string badPath = "/home/user/" + path; - if (File.Exists(badPath)) + if (File.Exists(badPath)) // $ Alert[cs/path-injection]=r5 { - ctx.Response.Write(File.ReadAllText(badPath)); + ctx.Response.Write(File.ReadAllText(badPath)); // $ Alert[cs/path-injection]=r6 } // GOOD: Tainted path is passed through MapPath @@ -48,7 +48,7 @@ public class TaintedPathHandler : IHttpHandler File.ReadAllText(path); } - Directory.Exists(path); + Directory.Exists(path); // $ Alert[cs/path-injection]=r7 // GOOD: A Guid. File.ReadAllText(new Guid(path).ToString()); diff --git a/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/TaintedPath.qlref b/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/TaintedPath.qlref index 10abc41286c..9ab7666c8f1 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/TaintedPath.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/TaintedPath.qlref @@ -1,3 +1,5 @@ query: Security Features/CWE-022/TaintedPath.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.cs b/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.cs index 1ec93bba3ed..189fb1a6eb6 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.cs @@ -12,15 +12,15 @@ namespace ZipSlip { foreach (var entry in archive.Entries) { - string fullPath = Path.GetFullPath(entry.FullName); + string fullPath = Path.GetFullPath(entry.FullName); // $ Alert[cs/zipslip]=r1 $ Alert[cs/zipslip]=r2 $ Alert[cs/zipslip]=r3 string fileName = Path.GetFileName(entry.FullName); string filename = entry.Name; - string file = entry.FullName; + string file = entry.FullName; // $ Alert[cs/zipslip]=r4 if (!string.IsNullOrEmpty(file)) { // BAD string destFileName = Path.Combine(destDirectory, file); - entry.ExtractToFile(destFileName, true); + entry.ExtractToFile(destFileName, true); // $ Sink[cs/zipslip]=r4 // GOOD string sanitizedFileName = Path.Combine(destDirectory, fileName); @@ -28,15 +28,15 @@ namespace ZipSlip // BAD string destFilePath = Path.Combine(destDirectory, fullPath); - entry.ExtractToFile(destFilePath, true); + entry.ExtractToFile(destFilePath, true); // $ Sink[cs/zipslip]=r1 // BAD: destFilePath isn't fully resolved, so may still contain .. if (destFilePath.StartsWith(destDirectory)) - entry.ExtractToFile(destFilePath, true); + entry.ExtractToFile(destFilePath, true); // $ Sink[cs/zipslip]=r2 // BAD destFilePath = Path.GetFullPath(Path.Combine(destDirectory, fullPath)); - entry.ExtractToFile(destFilePath, true); + entry.ExtractToFile(destFilePath, true); // $ Sink[cs/zipslip]=r3 // GOOD: a check for StartsWith against a fully resolved path if (destFilePath.StartsWith(destDirectory)) @@ -58,28 +58,28 @@ namespace ZipSlip foreach (ZipArchiveEntry entry in archive.Entries) { // figure out where we are putting the file - String destFilePath = Path.Combine(InstallDir, entry.FullName); + String destFilePath = Path.Combine(InstallDir, entry.FullName); // $ Alert[cs/zipslip]=r5 $ Alert[cs/zipslip]=r6 $ Alert[cs/zipslip]=r7 $ Alert[cs/zipslip]=r8 Directory.CreateDirectory(Path.GetDirectoryName(destFilePath)); using (Stream archiveFileStream = entry.Open()) { // BAD: writing to file stream - using (Stream tfsFileStream = new FileStream(destFilePath, FileMode.CreateNew, FileAccess.ReadWrite, FileShare.None)) + using (Stream tfsFileStream = new FileStream(destFilePath, FileMode.CreateNew, FileAccess.ReadWrite, FileShare.None)) // $ Sink[cs/zipslip]=r5 { Console.WriteLine(@"Writing ""{0}""", destFilePath); archiveFileStream.CopyTo(tfsFileStream); } // BAD: can do it this way too - using (Stream tfsFileStream = File.Create(destFilePath)) + using (Stream tfsFileStream = File.Create(destFilePath)) // $ Sink[cs/zipslip]=r6 { Console.WriteLine(@"Writing ""{0}""", destFilePath); archiveFileStream.CopyTo(tfsFileStream); } // BAD: creating stream using fileInfo - var fileInfo = new FileInfo(destFilePath); + var fileInfo = new FileInfo(destFilePath); // $ Sink[cs/zipslip]=r7 using (FileStream fs = fileInfo.OpenWrite()) { Console.WriteLine(@"Writing ""{0}""", destFilePath); @@ -87,7 +87,7 @@ namespace ZipSlip } // BAD: creating stream using fileInfo - var fileInfo1 = new FileInfo(destFilePath); + var fileInfo1 = new FileInfo(destFilePath); // $ Sink[cs/zipslip]=r8 using (FileStream fs = fileInfo1.Open(FileMode.Create)) { Console.WriteLine(@"Writing ""{0}""", destFilePath); diff --git a/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.qlref b/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.qlref index f8a7ab34e88..9d8f3ad5a64 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-022/ZipSlip.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlipBad.cs b/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlipBad.cs index fb6bce23b72..5a996edbad8 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlipBad.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlipBad.cs @@ -6,7 +6,7 @@ class Bad public static void WriteToDirectory(ZipArchiveEntry entry, string destDirectory) { - string destFileName = Path.Combine(destDirectory, entry.FullName); - entry.ExtractToFile(destFileName); + string destFileName = Path.Combine(destDirectory, entry.FullName); // $ Alert[cs/zipslip]=r9 + entry.ExtractToFile(destFileName); // $ Sink[cs/zipslip]=r9 } } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.cs b/csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.cs index df3db94b433..36ece73221e 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.cs @@ -24,16 +24,16 @@ namespace Test public void WebCommandInjection() { // BAD: Reading from textbox, then using that in the arguments and file name - string userInput = categoryTextBox.Text; - Process.Start("foo.exe" + userInput, "/c " + userInput); + string userInput = categoryTextBox.Text; // $ Source[cs/command-line-injection]=r1 $ Source[cs/command-line-injection]=r2 $ Source[cs/command-line-injection]=r3 $ Source[cs/command-line-injection]=r4 $ Source[cs/command-line-injection]=r5 $ Source[cs/command-line-injection]=r6 $ Source[cs/command-line-injection]=r7 + Process.Start("foo.exe" + userInput, "/c " + userInput); // $ Alert[cs/command-line-injection]=r1 $ Alert[cs/command-line-injection]=r2 - ProcessStartInfo startInfo = new ProcessStartInfo(userInput, userInput); + ProcessStartInfo startInfo = new ProcessStartInfo(userInput, userInput); // $ Alert[cs/command-line-injection]=r3 $ Alert[cs/command-line-injection]=r4 Process.Start(startInfo); ProcessStartInfo startInfoProps = new ProcessStartInfo(); - startInfoProps.FileName = userInput; - startInfoProps.Arguments = userInput; - startInfoProps.WorkingDirectory = userInput; + startInfoProps.FileName = userInput; // $ Alert[cs/command-line-injection]=r5 + startInfoProps.Arguments = userInput; // $ Alert[cs/command-line-injection]=r6 + startInfoProps.WorkingDirectory = userInput; // $ Alert[cs/command-line-injection]=r7 Process.Start(startInfoProps); } @@ -43,12 +43,12 @@ namespace Test { connection.Open(); SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection); - SqlDataReader customerReader = customerCommand.ExecuteReader(); + SqlDataReader customerReader = customerCommand.ExecuteReader(); // $ Source[cs/command-line-injection]=r8 while (customerReader.Read()) { // BAD: Read from database, and use it to directly execute a command - Process.Start("foo.exe", "/c " + customerReader.GetString(1)); + Process.Start("foo.exe", "/c " + customerReader.GetString(1)); // $ Alert[cs/command-line-injection]=r8 } customerReader.Close(); } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.qlref b/csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.qlref index 366f5105393..60798337039 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-078/CommandInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.cs index 1096634b690..1e30735d326 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.cs @@ -14,12 +14,12 @@ namespace Test { connection.Open(); SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection); - SqlDataReader customerReader = customerCommand.ExecuteReader(); + SqlDataReader customerReader = customerCommand.ExecuteReader(); // $ Source[cs/web/xss]=r1 while (customerReader.Read()) { // BAD: Read from database, write it straight to a response - context.Response.Write("Orders for " + customerReader.GetString(1)); + context.Response.Write("Orders for " + customerReader.GetString(1)); // $ Alert[cs/web/xss]=r1 } customerReader.Close(); } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.qlref b/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.qlref index 89b5b951bdb..a71d4784670 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-079/XSS.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.cs index eba40b891d5..6db6b4fc4b6 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.cs @@ -23,10 +23,10 @@ namespace Test { // BAD: Reading from textbox, then writing an amended value to a control that does not HTML encode StringBuilder userInput = new StringBuilder(); - userInput.AppendFormat("{0} test", categoryTextBox.Text); - calendar.Caption = userInput.ToString(); - table.Caption = userInput.ToString(); - label.Text = userInput.ToString(); + userInput.AppendFormat("{0} test", categoryTextBox.Text); // $ Source[cs/web/xss]=r1 $ Source[cs/web/xss]=r2 $ Source[cs/web/xss]=r3 + calendar.Caption = userInput.ToString(); // $ Alert[cs/web/xss]=r1 + table.Caption = userInput.ToString(); // $ Alert[cs/web/xss]=r2 + label.Text = userInput.ToString(); // $ Alert[cs/web/xss]=r3 // GOOD: Reading from textbox, then writing an amended value to a control that does HTML encode categoryTextBox.Text = userInput.ToString(); @@ -35,8 +35,8 @@ namespace Test public void processRequest(HttpContext context) { // BAD: Read user input from a request, write it straight to a response - string name = context.Request.QueryString["name"]; - context.Response.Write(name); + string name = context.Request.QueryString["name"]; // $ Source[cs/web/xss]=r4 + context.Response.Write(name); // $ Alert[cs/web/xss]=r4 // GOOD: Read user input from a request, but encode it before writing to the response string name2 = context.Request.QueryString["name"]; @@ -55,9 +55,9 @@ namespace Test public void mvcProcess(HttpContext context) { // BAD: Mimic what happens in cshtml pages - string name = context.Request.Unvalidated.QueryString["name"]; + string name = context.Request.Unvalidated.QueryString["name"]; // $ Source[cs/web/xss]=r5 HtmlHelper html = new HtmlHelper(null, null); - html.Raw(name); + html.Raw(name); // $ Alert[cs/web/xss]=r5 } public void listener(HttpContext context) @@ -73,27 +73,27 @@ namespace Test public void contextBase(HttpContextBase context) { // BAD: Writing user input directly to a HttpListenerResponse - string name = context.Request.QueryString["name"]; - context.Response.Write(name); + string name = context.Request.QueryString["name"]; // $ Source[cs/web/xss]=r6 + context.Response.Write(name); // $ Alert[cs/web/xss]=r6 // BAD: Writing user input directly to a HttpListenerResponse - string name2 = context.Request["name"]; - context.Response.Write(name2); + string name2 = context.Request["name"]; // $ Source[cs/web/xss]=r7 + context.Response.Write(name2); // $ Alert[cs/web/xss]=r7 } public void htmlStrings(HttpContextBase context) { // BAD: Writing user input into a HtmlString without encoding - string name = context.Request.QueryString["name"]; - new HtmlString(name); - new MvcHtmlString(name); + string name = context.Request.QueryString["name"]; // $ Source[cs/web/xss]=r8 $ Source[cs/web/xss]=r9 + new HtmlString(name); // $ Alert[cs/web/xss]=r8 + new MvcHtmlString(name); // $ Alert[cs/web/xss]=r9 new MyHtmlString(context.Request); } public void WebContent(HttpContextBase context) { // BAD: Writing user input into a StringContent without encoding - string name = context.Request.QueryString["name"]; - new StringContent(name); + string name = context.Request.QueryString["name"]; // $ Source[cs/web/xss]=r10 + new StringContent(name); // $ Alert[cs/web/xss]=r10 } public void HtmlEncoded(HttpContextBase context) @@ -137,7 +137,7 @@ namespace Test public string ToHtmlString() { - return Request.RawUrl; + return Request.RawUrl; // $ Alert[cs/web/xss]=r11 $ Alert[cs/web/xss]=r11 } } } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.qlref b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.qlref index 89b5b951bdb..a71d4784670 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-079/XSS.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/script.aspx b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/script.aspx index 5dd4830d756..7581e301c02 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/script.aspx +++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/script.aspx @@ -9,13 +9,13 @@ diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/XSS.qlref b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/XSS.qlref index e0b85b8f4c6..553ccc892d0 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/XSS.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/XSS.qlref @@ -1 +1,2 @@ query: Security Features/CWE-079/XSS.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.cs b/csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.cs index ddd24e19729..725d5bbe93c 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.cs @@ -9,36 +9,36 @@ public class LDAPInjectionHandler : IHttpHandler { public void ProcessRequest(HttpContext ctx) { - string userName = ctx.Request.QueryString["username"]; + string userName = ctx.Request.QueryString["username"]; // $ Source[cs/ldap-injection]=r1 $ Source[cs/ldap-injection]=r2 $ Source[cs/ldap-injection]=r3 $ Source[cs/ldap-injection]=r4 $ Source[cs/ldap-injection]=r5 $ Source[cs/ldap-injection]=r6 // BAD: Filter includes user input without encoding - DirectorySearcher ds = new DirectorySearcher("accountname=" + userName); + DirectorySearcher ds = new DirectorySearcher("accountname=" + userName); // $ Alert[cs/ldap-injection]=r1 DirectorySearcher ds2 = new DirectorySearcher(); - ds.Filter = "accountname=" + userName; + ds.Filter = "accountname=" + userName; // $ Alert[cs/ldap-injection]=r2 // GOOD: Filter includes user input with encoding DirectorySearcher ds3 = new DirectorySearcher("accountname=" + LDAPEncode(userName)); // BAD: SearchRequest Filter includes user input without encoding SearchRequest sr = new SearchRequest(); - sr.Filter = "accountname=" + userName; - SearchRequest sr2 = new SearchRequest(null, "accountname=" + userName, System.DirectoryServices.Protocols.SearchScope.Base, null); + sr.Filter = "accountname=" + userName; // $ Alert[cs/ldap-injection]=r3 + SearchRequest sr2 = new SearchRequest(null, "accountname=" + userName, System.DirectoryServices.Protocols.SearchScope.Base, null); // $ Alert[cs/ldap-injection]=r4 // BAD: Distinguished Name includes user input without encoding - DirectoryEntry de = new DirectoryEntry("LDAP://Cn=" + userName); + DirectoryEntry de = new DirectoryEntry("LDAP://Cn=" + userName); // $ Alert[cs/ldap-injection]=r5 DirectoryEntry de2 = new DirectoryEntry(); - de2.Path = "LDAP://Cn=" + userName; + de2.Path = "LDAP://Cn=" + userName; // $ Alert[cs/ldap-injection]=r6 using (SqlConnection connection = new SqlConnection("")) { connection.Open(); SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection); - SqlDataReader customerReader = customerCommand.ExecuteReader(); + SqlDataReader customerReader = customerCommand.ExecuteReader(); // $ Source[cs/ldap-injection]=r7 while (customerReader.Read()) { // BAD: Read from database, write it straight to a response - DirectorySearcher ds4 = new DirectorySearcher("accountname=" + customerReader.GetString(1)); + DirectorySearcher ds4 = new DirectorySearcher("accountname=" + customerReader.GetString(1)); // $ Alert[cs/ldap-injection]=r7 } customerReader.Close(); } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.qlref b/csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.qlref index 06bd1eedc4f..13eefd4645f 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-090/LDAPInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/Test.cs b/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/Test.cs index f9dd6f3289e..c394ed4b8cb 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/Test.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/Test.cs @@ -5,14 +5,14 @@ using System.Xml; public class XMLInjectionHandler : IHttpHandler { public void ProcessRequest(HttpContext ctx) { - string employeeName = ctx.Request.QueryString["employeeName"]; + string employeeName = ctx.Request.QueryString["employeeName"]; // $ Source[cs/xml-injection]=r1 using (XmlWriter writer = XmlWriter.Create("employees.xml")) { writer.WriteStartDocument(); // BAD: Insert user input directly into XML - writer.WriteRaw("" + employeeName + ""); + writer.WriteRaw("" + employeeName + ""); // $ Alert[cs/xml-injection]=r1 // GOOD: Escape user input before inserting into string writer.WriteRaw("" + SecurityElement.Escape(employeeName) + ""); diff --git a/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/XMLInjection.qlref b/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/XMLInjection.qlref index e39297fce16..96779d60ccb 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/XMLInjection.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/XMLInjection.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-091/XMLInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.cs b/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.cs index e03bc9821f5..a557ebf4c72 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.cs @@ -20,13 +20,13 @@ public class CommandInjectionHandler : IHttpHandler { public void ProcessRequest(HttpContext ctx) { - string code = ctx.Request.QueryString["code"]; + string code = ctx.Request.QueryString["code"]; // $ Source[cs/code-injection]=r1 $ Source[cs/code-injection]=r2 CSharpCodeProvider c = new CSharpCodeProvider(); ICodeCompiler icc = c.CreateCompiler(); CompilerParameters cp = new CompilerParameters(); // BAD: Compiling unvalidated code from the user - CompilerResults cr = icc.CompileAssemblyFromSource(cp, code); + CompilerResults cr = icc.CompileAssemblyFromSource(cp, code); // $ Alert[cs/code-injection]=r1 System.Reflection.Assembly a = cr.CompiledAssembly; object o = a.CreateInstance("MyNamespace.MyClass"); @@ -37,7 +37,7 @@ public class CommandInjectionHandler : IHttpHandler object s = mi.Invoke(o, null); // BAD: Use the Roslyn APIs to dynamically evaluate C# - CSharpScript.EvaluateAsync(code); + CSharpScript.EvaluateAsync(code); // $ Alert[cs/code-injection]=r2 } public bool IsReusable @@ -53,6 +53,6 @@ public class CommandInjectionHandler : IHttpHandler void OnButtonClicked() { // BAD: Use the Roslyn APIs to dynamically evaluate C# - CSharpScript.EvaluateAsync(box1.Text); + CSharpScript.EvaluateAsync(box1.Text); // $ Alert[cs/code-injection]=r3 $ Alert[cs/code-injection]=r3 } } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.qlref b/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.qlref index 80eedc1b4c7..53389dffbe4 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-094/CodeInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-099/ResourceInjection.cs b/csharp/ql/test/query-tests/Security Features/CWE-099/ResourceInjection.cs index aed9219090a..dc766674438 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-099/ResourceInjection.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-099/ResourceInjection.cs @@ -5,12 +5,12 @@ public class ResourceInjectionHandler : IHttpHandler { public void ProcessRequest(HttpContext ctx) { - string userName = ctx.Request.QueryString["userName"]; + string userName = ctx.Request.QueryString["userName"]; // $ Source[cs/resource-injection]=r1 $ Source[cs/resource-injection]=r2 string connectionString = "server=(local);user id=" + userName + ";password= pass;"; // BAD: Direct use of user input in a connection string for the constructor - SqlConnection sqlConnection = new SqlConnection(connectionString); + SqlConnection sqlConnection = new SqlConnection(connectionString); // $ Alert[cs/resource-injection]=r1 // BAD: Direct use of user input assigned to a connection string property - sqlConnection.ConnectionString = connectionString; + sqlConnection.ConnectionString = connectionString; // $ Alert[cs/resource-injection]=r2 // GOOD: Use SqlConnectionStringBuilder SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(); builder["Data Source"] = "(local)"; diff --git a/csharp/ql/test/query-tests/Security Features/CWE-099/ResourceInjection.qlref b/csharp/ql/test/query-tests/Security Features/CWE-099/ResourceInjection.qlref index 5292de5ee84..e2e48763168 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-099/ResourceInjection.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-099/ResourceInjection.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-099/ResourceInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-112/MissingXMLValidation.cs b/csharp/ql/test/query-tests/Security Features/CWE-112/MissingXMLValidation.cs index 4ca87924c68..869b0731351 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-112/MissingXMLValidation.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-112/MissingXMLValidation.cs @@ -9,22 +9,22 @@ public class MissingXMLValidationHandler : IHttpHandler public void ProcessRequest(HttpContext ctx) { - String userProvidedXml = ctx.Request.QueryString["userProvidedXml"]; + String userProvidedXml = ctx.Request.QueryString["userProvidedXml"]; // $ Source[cs/xml/missing-validation]=r1 $ Source[cs/xml/missing-validation]=r2 $ Source[cs/xml/missing-validation]=r3 $ Source[cs/xml/missing-validation]=r4 $ Source[cs/xml/missing-validation]=r5 // BAD: User provided XML is processed without any validation, // because there is no settings instance configured. - XmlReader.Create(new StringReader(userProvidedXml)); + XmlReader.Create(new StringReader(userProvidedXml)); // $ Alert[cs/xml/missing-validation]=r1 // BAD: User provided XML is processed without any validation, // because the settings instance does not specify the ValidationType XmlReaderSettings badSettings1 = new XmlReaderSettings(); - XmlReader.Create(new StringReader(userProvidedXml), badSettings1); + XmlReader.Create(new StringReader(userProvidedXml), badSettings1); // $ Alert[cs/xml/missing-validation]=r2 // BAD: User provided XML is processed without any validation, // because the settings instance specifies DTD as the ValidationType XmlReaderSettings badSettings2 = new XmlReaderSettings(); badSettings2.ValidationType = ValidationType.DTD; - XmlReader.Create(new StringReader(userProvidedXml), badSettings2); + XmlReader.Create(new StringReader(userProvidedXml), badSettings2); // $ Alert[cs/xml/missing-validation]=r3 // GOOD: User provided XML is processed with validation XmlReaderSettings goodSettings = new XmlReaderSettings(); @@ -42,7 +42,7 @@ public class MissingXMLValidationHandler : IHttpHandler XmlSchemaSet sc2 = new XmlSchemaSet(); sc2.Add("urn:my-schema", "my.xsd"); goodSettings.Schemas = sc2; - XmlReader.Create(new StringReader(userProvidedXml), badSettings3); + XmlReader.Create(new StringReader(userProvidedXml), badSettings3); // $ Alert[cs/xml/missing-validation]=r4 $ Alert[cs/xml/missing-validation]=r5 } public bool IsReusable diff --git a/csharp/ql/test/query-tests/Security Features/CWE-112/MissingXMLValidation.qlref b/csharp/ql/test/query-tests/Security Features/CWE-112/MissingXMLValidation.qlref index 6f71112a01c..3f8c9fe1687 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-112/MissingXMLValidation.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-112/MissingXMLValidation.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-112/MissingXMLValidation.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/AssemblyPathInjection.qlref b/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/AssemblyPathInjection.qlref index 5979609654f..f789023c52d 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/AssemblyPathInjection.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/AssemblyPathInjection.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-114/AssemblyPathInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/Test.cs b/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/Test.cs index e0217a6d486..8adba3f0dc8 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/Test.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/Test.cs @@ -4,10 +4,10 @@ using System.Reflection; public class DLLInjectionHandler : IHttpHandler { public void ProcessRequest(HttpContext ctx) { - string libraryName = ctx.Request.QueryString["libraryName"]; + string libraryName = ctx.Request.QueryString["libraryName"]; // $ Source[cs/assembly-path-injection]=r1 // BAD: Load DLL based on user input - var badDLL = Assembly.LoadFile(libraryName); + var badDLL = Assembly.LoadFile(libraryName); // $ Alert[cs/assembly-path-injection]=r1 // GOOD: Load DLL using fixed string var goodDLL = Assembly.LoadFile(@"C:\visual studio 2012\Projects\ConsoleApplication1\ConsoleApplication1\DLL.dll"); diff --git a/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/ExposureInTransmittedData.cs b/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/ExposureInTransmittedData.cs index e993bc368ae..387c9959df5 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/ExposureInTransmittedData.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/ExposureInTransmittedData.cs @@ -11,26 +11,26 @@ public class Handler : IHttpHandler try { var password = "123456"; - ctx.Response.Write(password); // BAD + ctx.Response.Write(password); // BAD // $ Alert[cs/sensitive-data-transmission]=r1 $ Alert[cs/sensitive-data-transmission]=r1 } catch (System.Data.SqlClient.SqlException ex) { - ctx.Response.Write(ex.ToString()); // BAD + ctx.Response.Write(ex.ToString()); // BAD // $ Alert[cs/sensitive-data-transmission]=r2 $ Alert[cs/sensitive-data-transmission]=r2 } catch (DbException ex) { - ctx.Response.Write(ex.Message); // BAD - ctx.Response.Write(ex.ToString()); // BAD - ctx.Response.Write(ex.Data["password"]); // BAD + ctx.Response.Write(ex.Message); // BAD // $ Alert[cs/sensitive-data-transmission]=r3 $ Alert[cs/sensitive-data-transmission]=r3 + ctx.Response.Write(ex.ToString()); // BAD // $ Alert[cs/sensitive-data-transmission]=r4 $ Alert[cs/sensitive-data-transmission]=r4 + ctx.Response.Write(ex.Data["password"]); // BAD // $ Alert[cs/sensitive-data-transmission]=r5 $ Alert[cs/sensitive-data-transmission]=r5 } } void SendPasswordToEmail() { - var p = GetField("password"); // p is now tainted - var message = new MailMessage("from", "to", p, p); // BAD - message.Body = "This is your password: " + p; // BAD - message.Subject = p; // BAD + var p = GetField("password"); // p is now tainted // $ Source[cs/sensitive-data-transmission]=r6 $ Source[cs/sensitive-data-transmission]=r7 $ Source[cs/sensitive-data-transmission]=r8 $ Source[cs/sensitive-data-transmission]=r9 + var message = new MailMessage("from", "to", p, p); // BAD // $ Alert[cs/sensitive-data-transmission]=r6 $ Alert[cs/sensitive-data-transmission]=r7 + message.Body = "This is your password: " + p; // BAD // $ Alert[cs/sensitive-data-transmission]=r8 + message.Subject = p; // BAD // $ Alert[cs/sensitive-data-transmission]=r9 } string GetField(string field) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/ExposureInTransmittedData.qlref b/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/ExposureInTransmittedData.qlref index 9ce9ee5643e..0c2eb8d2b2c 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/ExposureInTransmittedData.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/ExposureInTransmittedData.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-201/ExposureInTransmittedData.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.cs b/csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.cs index 74b3fc4dd4d..c9dc15fcce8 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.cs @@ -16,11 +16,11 @@ public class StackTraceHandler : IHttpHandler catch (Exception ex) { // BAD: printing a stack trace back to the response - ctx.Response.Write(ex.ToString()); + ctx.Response.Write(ex.ToString()); // $ Alert[cs/information-exposure-through-exception]=r1 $ Alert[cs/information-exposure-through-exception]=r1 // BAD: implicitly printing a stack trace back to the response - ctx.Response.Write(ex); + ctx.Response.Write(ex); // $ Alert[cs/information-exposure-through-exception]=r2 $ Alert[cs/information-exposure-through-exception]=r2 // BAD: writing StackTrace property to response - ctx.Response.Write(ex.StackTrace); + ctx.Response.Write(ex.StackTrace); // $ Alert[cs/information-exposure-through-exception]=r3 $ Alert[cs/information-exposure-through-exception]=r3 // GOOD: writing Message property to response ctx.Response.Write(ex.Message); return; @@ -36,15 +36,15 @@ public class StackTraceHandler : IHttpHandler log("Exception occurred", ex); ctx.Response.Write("Exception occurred"); - textBox.Text = ex.InnerException.StackTrace; // BAD - textBox.Text = ex.StackTrace; // BAD - textBox.Text = ex.ToString(); // BAD + textBox.Text = ex.InnerException.StackTrace; // BAD // $ Alert[cs/information-exposure-through-exception]=r4 $ Alert[cs/information-exposure-through-exception]=r4 + textBox.Text = ex.StackTrace; // BAD // $ Alert[cs/information-exposure-through-exception]=r5 $ Alert[cs/information-exposure-through-exception]=r5 + textBox.Text = ex.ToString(); // BAD // $ Alert[cs/information-exposure-through-exception]=r6 $ Alert[cs/information-exposure-through-exception]=r6 textBox.Text = ex.Message; // GOOD return; } // BAD: printing a stack trace back to the response for a custom exception - ctx.Response.Write(new MyException().ToString()); + ctx.Response.Write(new MyException().ToString()); // $ Alert[cs/information-exposure-through-exception]=r7 $ Alert[cs/information-exposure-through-exception]=r7 } class MyException : Exception diff --git a/csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.qlref b/csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.qlref index e8813fef7a8..295c9e8cc57 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-209/ExceptionInformationExposure.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOff/MissingASPNETGlobalErrorHandler.qlref b/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOff/MissingASPNETGlobalErrorHandler.qlref index f496f14153c..521ec9079e0 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOff/MissingASPNETGlobalErrorHandler.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOff/MissingASPNETGlobalErrorHandler.qlref @@ -1 +1,2 @@ query: Security Features/CWE-248/MissingASPNETGlobalErrorHandler.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOff/Web.config b/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOff/Web.config index 768c965080c..d04829109d3 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOff/Web.config +++ b/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOff/Web.config @@ -2,6 +2,6 @@ - + diff --git a/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.cs b/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.cs index 0c9c58d0d23..ff8600b85a8 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.cs @@ -14,21 +14,21 @@ namespace HardcodedSymmetricEncryptionKey var a = new AesCryptoServiceProvider(); // BAD: explicit key assignment, hard-coded value - a.Key = new byte[] { 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 }; + a.Key = new byte[] { 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 }; // $ Alert[cs/hardcoded-key]=r1 $ Alert[cs/hardcoded-key]=r1 var b = new AesCryptoServiceProvider() { // BAD: explicit key assignment, hard-coded value - Key = new byte[] { 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 } + Key = new byte[] { 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 } // $ Alert[cs/hardcoded-key]=r2 $ Alert[cs/hardcoded-key]=r2 }; - var c = new byte[] { 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 }; + var c = new byte[] { 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 }; // $ Source[cs/hardcoded-key]=r3 $ Source[cs/hardcoded-key]=r4 $ Source[cs/hardcoded-key]=r5 $ Source[cs/hardcoded-key]=r6 var d = c; - var byteArrayFromString = Encoding.UTF8.GetBytes("Hello, world: here is a very bad way to create a key"); + var byteArrayFromString = Encoding.UTF8.GetBytes("Hello, world: here is a very bad way to create a key"); // $ Source[cs/hardcoded-key]=r7 // BAD: key assignment via variable, from hard-coded value - a.Key = d; + a.Key = d; // $ Alert[cs/hardcoded-key]=r3 // GOOD (not really, but better than hard coding) a.Key = File.ReadAllBytes("secret.key"); @@ -65,7 +65,7 @@ namespace HardcodedSymmetricEncryptionKey { using (MemoryStream ms = new MemoryStream()) { - using (CryptoStream cs = new CryptoStream(ms, aes.CreateDecryptor(password, IV), CryptoStreamMode.Write)) + using (CryptoStream cs = new CryptoStream(ms, aes.CreateDecryptor(password, IV), CryptoStreamMode.Write)) // $ Alert[cs/hardcoded-key]=r4 { cs.Write(cipherText, 0, cipherText.Length); } @@ -105,7 +105,7 @@ namespace HardcodedSymmetricEncryptionKey return new AesManaged() { // BAD: assignment from parameter - Key = key + Key = key // $ Alert[cs/hardcoded-key]=r5 }; } @@ -118,7 +118,7 @@ namespace HardcodedSymmetricEncryptionKey using (MemoryStream ms = new MemoryStream()) { // BAD: flow of hardcoded key to CreateEncryptor constructor - using (CryptoStream cs = new CryptoStream(ms, aes.CreateEncryptor(key, IV), CryptoStreamMode.Write)) + using (CryptoStream cs = new CryptoStream(ms, aes.CreateEncryptor(key, IV), CryptoStreamMode.Write)) // $ Alert[cs/hardcoded-key]=r6 $ Alert[cs/hardcoded-key]=r7 { cs.Write(rawPlaintext, 0, rawPlaintext.Length); } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.qlref b/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.qlref index 5ec9c0d849c..6006de2bd61 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-321/HardcodedEncryptionKey.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.cs b/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.cs index 58241499c66..93edb1e318e 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.cs @@ -9,9 +9,9 @@ public class InsecureRandomness public void RandomTest() { // BAD: Using insecure RNG to generate password - string password = InsecureRandomString(10); - password = InsecureRandomStringFromSelection(10); - password = InsecureRandomStringFromIndexer(10); + string password = InsecureRandomString(10); // $ Alert[cs/insecure-randomness]=r1 + password = InsecureRandomStringFromSelection(10); // $ Alert[cs/insecure-randomness]=r2 + password = InsecureRandomStringFromIndexer(10); // $ Alert[cs/insecure-randomness]=r3 // IGNORE - do not track further than the first assignment to a tainted variable string passwd = password; // GOOD: Use cryptographically secure RNG @@ -25,7 +25,7 @@ public class InsecureRandomness byte[] data = new byte[1]; while (result.Length < length) { - data[0] = (byte)r.Next(97, 122); + data[0] = (byte)r.Next(97, 122); // $ Source[cs/insecure-randomness]=r1 result.Append(new ASCIIEncoding().GetString(data)); } return result.ToString(); @@ -57,7 +57,7 @@ public class InsecureRandomness Random r = new Random(); while (result.Length < length) { - result += letters[r.Next(3)]; + result += letters[r.Next(3)]; // $ Source[cs/insecure-randomness]=r2 } return result.ToString(); } @@ -69,7 +69,7 @@ public class InsecureRandomness Random r = new Random(); while (result.Length < length) { - result += letters[r.Next(3)]; + result += letters[r.Next(3)]; // $ Source[cs/insecure-randomness]=r3 } return result; } @@ -77,7 +77,7 @@ public class InsecureRandomness public static string BiasPasswordGeneration() { // BAD: Membership.GeneratePassword generates a password with a bias - string password = System.Web.Security.Membership.GeneratePassword(12, 3); + string password = System.Web.Security.Membership.GeneratePassword(12, 3); // $ Alert[cs/insecure-randomness]=r4 $ Alert[cs/insecure-randomness]=r4 return password; } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.qlref b/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.qlref index b2198beb2b4..a79d744ce61 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.qlref @@ -1,2 +1,4 @@ query: Security Features/InsecureRandomness.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-352/missing-aspnetcore/MissingAntiForgeryTokenValidation.cs b/csharp/ql/test/query-tests/Security Features/CWE-352/missing-aspnetcore/MissingAntiForgeryTokenValidation.cs index e9e5202b40a..2b9f3974234 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-352/missing-aspnetcore/MissingAntiForgeryTokenValidation.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-352/missing-aspnetcore/MissingAntiForgeryTokenValidation.cs @@ -4,7 +4,7 @@ public class HomeController : Controller { // BAD: Anti forgery token has been forgotten [HttpPost] - public ActionResult Login() + public ActionResult Login() // $ Alert[cs/web/missing-token-validation] { return View(); } @@ -55,7 +55,7 @@ public class DerivedUnprotectedController : UnprotectedBaseController { // BAD: No antiforgery validation on this or any base class [HttpPost] - public ActionResult NoInheritedValidation() + public ActionResult NoInheritedValidation() // $ Alert[cs/web/missing-token-validation] { return View(); } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-352/missing-aspnetcore/MissingAntiForgeryTokenValidation.qlref b/csharp/ql/test/query-tests/Security Features/CWE-352/missing-aspnetcore/MissingAntiForgeryTokenValidation.qlref index 5e1ab2426c6..8948b9773a2 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-352/missing-aspnetcore/MissingAntiForgeryTokenValidation.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-352/missing-aspnetcore/MissingAntiForgeryTokenValidation.qlref @@ -1 +1,2 @@ query: Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/NoHeader/MissingXFrameOptions.qlref b/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/NoHeader/MissingXFrameOptions.qlref index 5a653b7ada0..d0d38c4b011 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/NoHeader/MissingXFrameOptions.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/NoHeader/MissingXFrameOptions.qlref @@ -1 +1,2 @@ query: Security Features/CWE-451/MissingXFrameOptions.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/NoHeader/Web.config b/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/NoHeader/Web.config index 8f0b996a024..66a19f0635a 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/NoHeader/Web.config +++ b/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/NoHeader/Web.config @@ -2,4 +2,4 @@ - + diff --git a/csharp/ql/test/query-tests/Security Features/CWE-548/ASPNetDirectoryListing.qlref b/csharp/ql/test/query-tests/Security Features/CWE-548/ASPNetDirectoryListing.qlref index 95e9bc80fe7..c792e1fcbe4 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-548/ASPNetDirectoryListing.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-548/ASPNetDirectoryListing.qlref @@ -1 +1,2 @@ query: Security Features/CWE-548/ASPNetDirectoryListing.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-548/web.config b/csharp/ql/test/query-tests/Security Features/CWE-548/web.config index b4276433838..0631d811660 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-548/web.config +++ b/csharp/ql/test/query-tests/Security Features/CWE-548/web.config @@ -1,6 +1,6 @@ - + diff --git a/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.cs b/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.cs index 3b3aae534ad..673502b960e 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.cs @@ -10,7 +10,7 @@ public class UrlRedirectHandler : IHttpHandler public void ProcessRequest(HttpContext ctx) { // BAD: a request parameter is incorporated without validation into a URL redirect - ctx.Response.Redirect(ctx.Request.QueryString["page"]); + ctx.Response.Redirect(ctx.Request.QueryString["page"]); // $ Alert[cs/web/unvalidated-url-redirection]=r2 $ Alert[cs/web/unvalidated-url-redirection]=r2 // GOOD: the request parameter is validated against a known fixed string if (VALID_REDIRECT == ctx.Request.QueryString["page"]) @@ -20,7 +20,7 @@ public class UrlRedirectHandler : IHttpHandler // GOOD: We check whether this is a local URL before redirecting, using UrlHelper. // As recommended by https://docs.microsoft.com/en-us/aspnet/mvc/overview/security/preventing-open-redirection-attacks - string url = ctx.Request.QueryString["page"]; + string url = ctx.Request.QueryString["page"]; // $ Source[cs/web/unvalidated-url-redirection]=r5 $ Source[cs/web/unvalidated-url-redirection]=r6 $ Source[cs/web/unvalidated-url-redirection]=r7 $ Source[cs/web/unvalidated-url-redirection]=r8 if (new UrlHelper(null).IsLocalUrl(url)) { ctx.Response.Redirect(url); @@ -35,8 +35,8 @@ public class UrlRedirectHandler : IHttpHandler } // BAD: Adding or appending a header - ctx.Response.AddHeader("Location", ctx.Request.QueryString["page"]); - ctx.Response.AppendHeader("Location", ctx.Request.QueryString["page"]); + ctx.Response.AddHeader("Location", ctx.Request.QueryString["page"]); // $ Alert[cs/web/unvalidated-url-redirection]=r3 $ Alert[cs/web/unvalidated-url-redirection]=r3 + ctx.Response.AppendHeader("Location", ctx.Request.QueryString["page"]); // $ Alert[cs/web/unvalidated-url-redirection]=r4 $ Alert[cs/web/unvalidated-url-redirection]=r4 // GOOD: Redirecting to the RawUrl only reloads the current Url ctx.Response.Redirect(ctx.Request.RawUrl); @@ -45,7 +45,7 @@ public class UrlRedirectHandler : IHttpHandler ctx.Response.Redirect("foo.asp?param=" + url); // BAD: Using Transfer with unvalidated user input - ctx.Server.Transfer(url); + ctx.Server.Transfer(url); // $ Alert[cs/web/unvalidated-url-redirection]=r5 // GOOD: request parameter is URL encoded ctx.Response.Redirect(HttpUtility.UrlEncode(ctx.Request.QueryString["page"])); @@ -61,19 +61,19 @@ public class UrlRedirectHandler : IHttpHandler ctx.Response.Redirect($"foo.asp?param={url}"); // BAD: The attacker can control the location - ctx.Response.Redirect($"{url}.asp?param=foo"); + ctx.Response.Redirect($"{url}.asp?param=foo"); // $ Alert[cs/web/unvalidated-url-redirection]=r6 // GOOD: The attacker can only control the parameters, not the location ctx.Response.Redirect(string.Format("foo.asp?param={0}", url)); // BAD: The attacker can control the location - ctx.Response.Redirect(string.Format("{0}.asp?param=foo", url)); + ctx.Response.Redirect(string.Format("{0}.asp?param=foo", url)); // $ Alert[cs/web/unvalidated-url-redirection]=r7 // GOOD: The attacker can only control the parameters, not the location ctx.Response.Redirect(string.Format("foo.asp?{1}param={0}", url, url)); // BAD: The attacker can control the location - ctx.Response.Redirect(string.Format("{1}.asp?{0}param=foo", url, url)); + ctx.Response.Redirect(string.Format("{1}.asp?{0}param=foo", url, url)); // $ Alert[cs/web/unvalidated-url-redirection]=r8 } // Implementation as recommended by Microsoft. diff --git a/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.qlref b/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.qlref index fdb38b9ffc0..c24957fa4a0 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-601/UrlRedirect.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect2.cs b/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect2.cs index 83f499ea048..6093fbeeb4a 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect2.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect2.cs @@ -11,7 +11,7 @@ public class UrlRedirectHandler2 : IHttpHandler public void ProcessRequest(HttpContext ctx) { // BAD: a request parameter is incorporated without validation into a URL redirect - ctx.Response.Redirect(ctx.Request.QueryString["page"]); + ctx.Response.Redirect(ctx.Request.QueryString["page"]); // $ Alert[cs/web/unvalidated-url-redirection]=r1 $ Alert[cs/web/unvalidated-url-redirection]=r1 var redirectUrl = ctx.Request.QueryString["page"]; if (VALID_REDIRECTS.Contains(redirectUrl)) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirectCore.cs b/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirectCore.cs index 2da9652d854..b147be0fe32 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirectCore.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirectCore.cs @@ -10,50 +10,50 @@ namespace Testing.Controllers private static string SomeValue = "HeaderValue"; [HttpPost] - public void Post([FromBody] string value) + public void Post([FromBody] string value) // $ Source[cs/web/unvalidated-url-redirection]=r9 $ Source[cs/web/unvalidated-url-redirection]=r10 $ Source[cs/web/unvalidated-url-redirection]=r11 $ Source[cs/web/unvalidated-url-redirection]=r12 $ Source[cs/web/unvalidated-url-redirection]=r13 $ Source[cs/web/unvalidated-url-redirection]=r14 $ Source[cs/web/unvalidated-url-redirection]=r15 { // BAD: straight up controller redirect - Redirect(value); + Redirect(value); // $ Alert[cs/web/unvalidated-url-redirection]=r9 // BAD: Setting response headers collection, location = redirect - Response.Headers["location"] = value; + Response.Headers["location"] = value; // $ Alert[cs/web/unvalidated-url-redirection]=r10 // GOOD: Setting response header to a constant value Response.Headers["location"] = SomeValue; // BAD: Setting response headers collection, location = redirect via add method - Response.Headers.Add("location", value); + Response.Headers.Add("location", value); // $ Alert[cs/web/unvalidated-url-redirection]=r11 // GOOD: Setting response header to a constant value Response.Headers.Add("location", "foo"); // BAD: redirect via location - Response.Headers.SetCommaSeparatedValues("location", value); + Response.Headers.SetCommaSeparatedValues("location", value); // $ Alert[cs/web/unvalidated-url-redirection]=r12 // BAD = redirect via setting location value from tainted source - Response.Headers.Append("location", value); + Response.Headers.Append("location", value); // $ Alert[cs/web/unvalidated-url-redirection]=r13 // BAD: redirect via setting location header from comma-separated values - Response.Headers.AppendCommaSeparatedValues("location", value); + Response.Headers.AppendCommaSeparatedValues("location", value); // $ Alert[cs/web/unvalidated-url-redirection]=r14 // BAD: tainted redirect to Action - RedirectToActionPermanent("Error" + value); + RedirectToActionPermanent("Error" + value); // $ Alert[cs/web/unvalidated-url-redirection]=r15 } // PUT: api/Some/5 [HttpPut("{id}")] - public void Put(int id, [FromBody] string value) + public void Put(int id, [FromBody] string value) // $ Source[cs/web/unvalidated-url-redirection]=r16 $ Source[cs/web/unvalidated-url-redirection]=r17 $ Source[cs/web/unvalidated-url-redirection]=r18 { - RedirectToPage(value); + RedirectToPage(value); // $ Alert[cs/web/unvalidated-url-redirection]=r16 var headers = new ResponseHeaders(Response.Headers); // BAD: redirect via header helper class - headers.Location = new Uri(value); + headers.Location = new Uri(value); // $ Alert[cs/web/unvalidated-url-redirection]=r17 // BAD: response redirect - Response.Redirect(value); + Response.Redirect(value); // $ Alert[cs/web/unvalidated-url-redirection]=r18 // GOOD: whitelisted redirect if(Url.IsLocalUrl(value)) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-611/Test.cs b/csharp/ql/test/query-tests/Security Features/CWE-611/Test.cs index 005e79a7fb4..103d3cca4cc 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-611/Test.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-611/Test.cs @@ -8,7 +8,7 @@ public class XMLHandler : IHttpHandler public void ProcessRequest(HttpContext ctx) { // BAD: XmlTextReader is insecure with these options, using user-provided data - XmlTextReader reader = new XmlTextReader(ctx.Request.QueryString["document"]) { DtdProcessing = DtdProcessing.Parse, XmlResolver = new XmlUrlResolver() }; + XmlTextReader reader = new XmlTextReader(ctx.Request.QueryString["document"]) { DtdProcessing = DtdProcessing.Parse, XmlResolver = new XmlUrlResolver() }; // $ Alert[cs/xml/insecure-dtd-handling]=r1 $ Alert[cs/xml/insecure-dtd-handling]=r1 $ Alert[cs/insecure-xml-read] } public void insecureXMLBad(string content) @@ -18,10 +18,10 @@ public class XMLHandler : IHttpHandler settings.XmlResolver = new XmlUrlResolver(); // BAD: insecure settings - XmlReader reader1 = XmlReader.Create(content, settings); + XmlReader reader1 = XmlReader.Create(content, settings); // $ Alert[cs/insecure-xml-read] // BAD: XmlTextReader is insecure with these options - XmlTextReader reader2 = new XmlTextReader(content) { DtdProcessing = DtdProcessing.Parse, XmlResolver = new XmlUrlResolver() }; + XmlTextReader reader2 = new XmlTextReader(content) { DtdProcessing = DtdProcessing.Parse, XmlResolver = new XmlUrlResolver() }; // $ Alert[cs/insecure-xml-read] } public void insecureXMLGood(string content) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-611/UntrustedDataInsecureXml.qlref b/csharp/ql/test/query-tests/Security Features/CWE-611/UntrustedDataInsecureXml.qlref index 7f685106e25..8cc567d8a97 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-611/UntrustedDataInsecureXml.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-611/UntrustedDataInsecureXml.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-611/UntrustedDataInsecureXml.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-611/UseXmlSecureResolver.qlref b/csharp/ql/test/query-tests/Security Features/CWE-611/UseXmlSecureResolver.qlref index b11f5307924..851c79c1593 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-611/UseXmlSecureResolver.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-611/UseXmlSecureResolver.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-611/UseXmlSecureResolver.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/HttpCookiesCorrect/RequireSSL.qlref b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/HttpCookiesCorrect/RequireSSL.qlref index 58ec5162739..1a762e07498 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/HttpCookiesCorrect/RequireSSL.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/HttpCookiesCorrect/RequireSSL.qlref @@ -1 +1,2 @@ query: Security Features/CWE-614/RequireSSL.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/HttpCookiesCorrect/Web.config b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/HttpCookiesCorrect/Web.config index 1ddaaf2b65f..7755ae7462d 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/HttpCookiesCorrect/Web.config +++ b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/HttpCookiesCorrect/Web.config @@ -2,7 +2,7 @@ - + diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/RequireSSLMissing/RequireSSL.qlref b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/RequireSSLMissing/RequireSSL.qlref index 58ec5162739..1a762e07498 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/RequireSSLMissing/RequireSSL.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/RequireSSLMissing/RequireSSL.qlref @@ -1 +1,2 @@ query: Security Features/CWE-614/RequireSSL.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/RequireSSLMissing/Web.config b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/RequireSSLMissing/Web.config index 0ab64b1fcb6..45f9f219f09 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/RequireSSLMissing/Web.config +++ b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/RequireSSLMissing/Web.config @@ -2,8 +2,8 @@ - + - + diff --git a/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.cs b/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.cs index a42a629cc7e..4ce6e1268a7 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.cs @@ -8,16 +8,16 @@ public class XPathInjectionHandler : IHttpHandler { public void ProcessRequest(HttpContext ctx) { - string userName = ctx.Request.QueryString["userName"]; - string password = ctx.Request.QueryString["password"]; + string userName = ctx.Request.QueryString["userName"]; // $ Source[cs/xml/xpath-injection]=r1 $ Source[cs/xml/xpath-injection]=r3 $ Source[cs/xml/xpath-injection]=r5 $ Source[cs/xml/xpath-injection]=r7 $ Source[cs/xml/xpath-injection]=r9 $ Source[cs/xml/xpath-injection]=r11 $ Source[cs/xml/xpath-injection]=r13 + string password = ctx.Request.QueryString["password"]; // $ Source[cs/xml/xpath-injection]=r2 $ Source[cs/xml/xpath-injection]=r4 $ Source[cs/xml/xpath-injection]=r6 $ Source[cs/xml/xpath-injection]=r8 $ Source[cs/xml/xpath-injection]=r10 $ Source[cs/xml/xpath-injection]=r12 $ Source[cs/xml/xpath-injection]=r14 var s = "//users/user[login/text()='" + userName + "' and password/text() = '" + password + "']/home_dir/text()"; // BAD: User input used directly in an XPath expression - XPathExpression.Compile(s); + XPathExpression.Compile(s); // $ Alert[cs/xml/xpath-injection]=r1 $ Alert[cs/xml/xpath-injection]=r2 XmlNode xmlNode = null; // BAD: User input used directly in an XPath expression to SelectNodes - xmlNode.SelectNodes(s); + xmlNode.SelectNodes(s); // $ Alert[cs/xml/xpath-injection]=r3 $ Alert[cs/xml/xpath-injection]=r4 // GOOD: Uses parameters to avoid including user input directly in XPath expression var expr = XPathExpression.Compile("//users/user[login/text()=$username]/home_dir/text()"); @@ -26,31 +26,31 @@ public class XPathInjectionHandler : IHttpHandler var nav = doc.CreateNavigator(); // BAD - nav.Select(s); + nav.Select(s); // $ Alert[cs/xml/xpath-injection]=r5 $ Alert[cs/xml/xpath-injection]=r6 // GOOD nav.Select(expr); // BAD - nav.SelectSingleNode(s); + nav.SelectSingleNode(s); // $ Alert[cs/xml/xpath-injection]=r7 $ Alert[cs/xml/xpath-injection]=r8 // GOOD nav.SelectSingleNode(expr); // BAD - nav.Compile(s); + nav.Compile(s); // $ Alert[cs/xml/xpath-injection]=r9 $ Alert[cs/xml/xpath-injection]=r10 // GOOD nav.Compile("//users/user[login/text()=$username]/home_dir/text()"); // BAD - nav.Evaluate(s); + nav.Evaluate(s); // $ Alert[cs/xml/xpath-injection]=r11 $ Alert[cs/xml/xpath-injection]=r12 // Good nav.Evaluate(expr); // BAD - nav.Matches(s); + nav.Matches(s); // $ Alert[cs/xml/xpath-injection]=r13 $ Alert[cs/xml/xpath-injection]=r14 // GOOD nav.Matches(expr); @@ -71,17 +71,17 @@ public class XPathInjectionHandler : IHttpHandler { connection.Open(); SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection); - SqlDataReader customerReader = customerCommand.ExecuteReader(); + SqlDataReader customerReader = customerCommand.ExecuteReader(); // $ Source[cs/xml/xpath-injection]=r15 $ Source[cs/xml/xpath-injection]=r16 while (customerReader.Read()) { string userName = customerReader.GetString(1); string password = customerReader.GetString(2); // BAD: User input used directly in an XPath expression - XPathExpression.Compile("//users/user[login/text()='" + userName + "' and password/text() = '" + password + "']/home_dir/text()"); + XPathExpression.Compile("//users/user[login/text()='" + userName + "' and password/text() = '" + password + "']/home_dir/text()"); // $ Alert[cs/xml/xpath-injection]=r15 XmlNode xmlNode = null; // BAD: User input used directly in an XPath expression to SelectNodes - xmlNode.SelectNodes("//users/user[login/text()='" + userName + "' and password/text() = '" + password + "']/home_dir/text()"); + xmlNode.SelectNodes("//users/user[login/text()='" + userName + "' and password/text() = '" + password + "']/home_dir/text()"); // $ Alert[cs/xml/xpath-injection]=r16 // GOOD: Uses parameters to avoid including user input directly in XPath expression XPathExpression.Compile("//users/user[login/text()=$username]/home_dir/text()"); diff --git a/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.qlref b/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.qlref index a0cdca4727a..9ffeeb3a292 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-643/XPathInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ExponentialRegex.cs b/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ExponentialRegex.cs index b54b3bbdf81..30d706fb7f1 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ExponentialRegex.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ExponentialRegex.cs @@ -8,20 +8,20 @@ public class RegexHandler : IHttpHandler public void ProcessRequest(HttpContext ctx) { - string userInput = ctx.Request.QueryString["userInput"]; + string userInput = ctx.Request.QueryString["userInput"]; // $ Source[cs/redos]=r1 $ Source[cs/redos]=r2 $ Source[cs/redos]=r3 $ Source[cs/redos]=r4 $ Source[cs/redos]=r5 // BAD: // Artificial regexes - new Regex("^([a-z]+)+$").Match(userInput); - new Regex("^([a-z]*)*$").Replace(userInput, ""); + new Regex("^([a-z]+)+$").Match(userInput); // $ Alert[cs/redos]=r1 + new Regex("^([a-z]*)*$").Replace(userInput, ""); // $ Alert[cs/redos]=r2 // Known exponential blowup regex for e-mail address validation // Problematic part is: ([a-zA-Z0-9]+))* - new Regex("^([a-zA-Z0-9])(([\\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$").Match(userInput); + new Regex("^([a-zA-Z0-9])(([\\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$").Match(userInput); // $ Alert[cs/redos]=r3 // Known exponential blowup regex for Java class name validation // Problematic part is: (([a-z])+.)+ - new Regex(JAVA_CLASS_REGEX).Match(userInput); + new Regex(JAVA_CLASS_REGEX).Match(userInput); // $ Alert[cs/redos]=r4 // Static use - Regex.Match(userInput, JAVA_CLASS_REGEX); + Regex.Match(userInput, JAVA_CLASS_REGEX); // $ Alert[cs/redos]=r5 // GOOD: new Regex("^(([a-b]+[c-z]+)+$").Match(userInput); new Regex("^([a-z]+)+$", RegexOptions.IgnoreCase, TimeSpan.FromSeconds(1)).Match(userInput); diff --git a/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ReDoS.qlref b/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ReDoS.qlref index de8c70102e0..e3f22da0ebe 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ReDoS.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ReDoS.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-730/ReDoS.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoSGlobalTimeout/ReDoS.qlref b/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoSGlobalTimeout/ReDoS.qlref index de8c70102e0..e3f22da0ebe 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoSGlobalTimeout/ReDoS.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoSGlobalTimeout/ReDoS.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-730/ReDoS.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/RegexInjection.cs b/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/RegexInjection.cs index d5f802a0268..877a029de66 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/RegexInjection.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/RegexInjection.cs @@ -7,11 +7,11 @@ public class RegexInjectionHandler : IHttpHandler public void ProcessRequest(HttpContext ctx) { - string regex = ctx.Request.QueryString["regex"]; + string regex = ctx.Request.QueryString["regex"]; // $ Source[cs/regex-injection]=r1 string userInput = ctx.Request.QueryString["userInput"]; // BAD: User input used as regex - new Regex(regex).Match(userInput); + new Regex(regex).Match(userInput); // $ Alert[cs/regex-injection]=r1 // GOOD: User input escaped before being used as regex new Regex(Regex.Escape(regex)).Match(userInput); } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/RegexInjection.qlref b/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/RegexInjection.qlref index bec7fbac79a..82cad8aeb6b 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/RegexInjection.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/RegexInjection.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-730/RegexInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-807/ConditionalBypass.cs b/csharp/ql/test/query-tests/Security Features/CWE-807/ConditionalBypass.cs index 7ab297fbb68..40b3806f71f 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-807/ConditionalBypass.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-807/ConditionalBypass.cs @@ -9,22 +9,22 @@ public class ConditionalBypassHandler : IHttpHandler { string user = ctx.Request.QueryString["user"]; string password = ctx.Request.QueryString["password"]; - string isAdmin = ctx.Request.QueryString["isAdmin"]; + string isAdmin = ctx.Request.QueryString["isAdmin"]; // $ Source[cs/user-controlled-bypass]=r1 // BAD: login is only executed if isAdmin is false, but isAdmin // is controlled by the user - if (isAdmin == "false") + if (isAdmin == "false") // $ Alert[cs/user-controlled-bypass]=r1 login(user, password); - HttpCookie adminCookie = ctx.Request.Cookies["adminCookie"]; + HttpCookie adminCookie = ctx.Request.Cookies["adminCookie"]; // $ Source[cs/user-controlled-bypass]=r2 $ Source[cs/user-controlled-bypass]=r3 $ Source[cs/user-controlled-bypass]=r4 // BAD: login is only executed if the cookie value is false, but the cookie // is controlled by the user - if (adminCookie.Value.Equals("false")) + if (adminCookie.Value.Equals("false")) // $ Alert[cs/user-controlled-bypass]=r2 login(user, password); // FALSE POSITIVES: both methods are conditionally executed, but they probably // both perform the security-critical action - if (adminCookie.Value == "false") + if (adminCookie.Value == "false") // $ Alert[cs/user-controlled-bypass]=r3 $ Alert[cs/user-controlled-bypass]=r4 { login(user, password); } @@ -39,14 +39,14 @@ public class ConditionalBypassHandler : IHttpHandler // BAD: DNS may be controlled by the user IPAddress hostIPAddress = IPAddress.Parse("1.2.3.4"); - IPHostEntry hostInfo = Dns.GetHostByAddress(hostIPAddress); + IPHostEntry hostInfo = Dns.GetHostByAddress(hostIPAddress); // $ Source[cs/user-controlled-bypass]=r5 $ Source[cs/user-controlled-bypass]=r6 // Exact comparison - if (hostInfo.HostName == "trustme.com") + if (hostInfo.HostName == "trustme.com") // $ Alert[cs/user-controlled-bypass]=r5 { login(user, password); } // Substring comparison - if (hostInfo.HostName.EndsWith("trustme.com")) + if (hostInfo.HostName.EndsWith("trustme.com")) // $ Alert[cs/user-controlled-bypass]=r6 { login(user, password); } @@ -67,9 +67,9 @@ public class ConditionalBypassHandler : IHttpHandler public static void Test2(HttpContext ctx, String user, String password) { - HttpCookie adminCookie = ctx.Request.Cookies["adminCookie"]; + HttpCookie adminCookie = ctx.Request.Cookies["adminCookie"]; // $ Source[cs/user-controlled-bypass]=r7 // BAD: login may happen once or twice - if (adminCookie.Value == "false") + if (adminCookie.Value == "false") // $ Alert[cs/user-controlled-bypass]=r7 login(user, password); else { @@ -80,8 +80,8 @@ public class ConditionalBypassHandler : IHttpHandler public static void Test3(HttpContext ctx, String user, String password) { - HttpCookie adminCookie = ctx.Request.Cookies["adminCookie"]; - if (adminCookie.Value == "false") + HttpCookie adminCookie = ctx.Request.Cookies["adminCookie"]; // $ Source[cs/user-controlled-bypass]=r8 + if (adminCookie.Value == "false") // $ Alert[cs/user-controlled-bypass]=r8 login(user, password); else { diff --git a/csharp/ql/test/query-tests/Security Features/CWE-807/ConditionalBypass.qlref b/csharp/ql/test/query-tests/Security Features/CWE-807/ConditionalBypass.qlref index b0c208da348..fe01c7557af 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-807/ConditionalBypass.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-807/ConditionalBypass.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-807/ConditionalBypass.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-838/HtmlEncode.cs b/csharp/ql/test/query-tests/Security Features/CWE-838/HtmlEncode.cs index 8a5e378c8d1..66ad8fb4c1a 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-838/HtmlEncode.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-838/HtmlEncode.cs @@ -7,7 +7,7 @@ public class HtmlEncode public static void Bad(HttpContext ctx) { var user = WebUtility.UrlDecode(ctx.Request.QueryString["user"]); - ctx.Response.Write("Hello, " + WebUtility.UrlEncode(user)); + ctx.Response.Write("Hello, " + WebUtility.UrlEncode(user)); // $ Alert[cs/inappropriate-encoding]=r1 $ Alert[cs/inappropriate-encoding]=r1 } public static void Good(HttpContext ctx) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-838/InappropriateEncoding.cs b/csharp/ql/test/query-tests/Security Features/CWE-838/InappropriateEncoding.cs index 637988ddc84..5a9bfd55496 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-838/InappropriateEncoding.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-838/InappropriateEncoding.cs @@ -10,12 +10,12 @@ public class InappropriateEncoding { public void Sql(string value) { - var encodedValue = Encode(value); + var encodedValue = Encode(value); // $ Source[cs/inappropriate-encoding]=r2 using (var connection = new SqlConnection("")) { var query1 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + encodedValue + "' ORDER BY PRICE"; // BAD - var adapter = new SqlDataAdapter(query1, connection); + var adapter = new SqlDataAdapter(query1, connection); // $ Alert[cs/inappropriate-encoding]=r2 $ Alert[cs/inappropriate-encoding]=r3 var query2 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=@category ORDER BY PRICE"; // GOOD @@ -28,13 +28,13 @@ public class InappropriateEncoding public void Html(string value, Label label, System.Windows.Forms.HtmlElement html) { // BAD - label.Text = Encode(value); - label.Text = HttpUtility.UrlEncode(value); - label.Text = HttpUtility.UrlEncode(HttpUtility.HtmlEncode(value)); - var encodedValue = HttpUtility.UrlEncode(value); - html.SetAttribute("a", encodedValue); - label.Text = ""; - label.Text = string.Format("", encodedValue); + label.Text = Encode(value); // $ Alert[cs/inappropriate-encoding]=r4 $ Alert[cs/inappropriate-encoding]=r4 + label.Text = HttpUtility.UrlEncode(value); // $ Alert[cs/inappropriate-encoding]=r5 $ Alert[cs/inappropriate-encoding]=r5 + label.Text = HttpUtility.UrlEncode(HttpUtility.HtmlEncode(value)); // $ Alert[cs/inappropriate-encoding]=r6 $ Alert[cs/inappropriate-encoding]=r6 + var encodedValue = HttpUtility.UrlEncode(value); // $ Source[cs/inappropriate-encoding]=r7 $ Source[cs/inappropriate-encoding]=r8 $ Source[cs/inappropriate-encoding]=r9 + html.SetAttribute("a", encodedValue); // $ Alert[cs/inappropriate-encoding]=r7 + label.Text = ""; // $ Alert[cs/inappropriate-encoding]=r8 + label.Text = string.Format("", encodedValue); // $ Alert[cs/inappropriate-encoding]=r9 // GOOD label.Text = HttpUtility.HtmlEncode(value); @@ -52,8 +52,8 @@ public class InappropriateEncoding public void Url(string value, HttpServerUtility util, HttpContext ctx) { // BAD - var encodedValue = HttpUtility.HtmlEncode(value); - ctx.Response.Redirect(encodedValue); + var encodedValue = HttpUtility.HtmlEncode(value); // $ Source[cs/inappropriate-encoding]=r10 + ctx.Response.Redirect(encodedValue); // $ Alert[cs/inappropriate-encoding]=r10 // GOOD ctx.Response.Redirect(HttpUtility.UrlEncode(encodedValue)); @@ -63,6 +63,6 @@ public class InappropriateEncoding static string Encode(string value) { - return value.Replace("\"", "\\\""); + return value.Replace("\"", "\\\""); // $ Source[cs/inappropriate-encoding]=r3 } } diff --git a/csharp/ql/test/query-tests/Security Features/CWE-838/InappropriateEncoding.qlref b/csharp/ql/test/query-tests/Security Features/CWE-838/InappropriateEncoding.qlref index d70d82f4719..99348351479 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-838/InappropriateEncoding.qlref +++ b/csharp/ql/test/query-tests/Security Features/CWE-838/InappropriateEncoding.qlref @@ -1,2 +1,4 @@ query: Security Features/CWE-838/InappropriateEncoding.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-838/SqlEncode.cs b/csharp/ql/test/query-tests/Security Features/CWE-838/SqlEncode.cs index dd3731cb161..1e55ade7a9d 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-838/SqlEncode.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-838/SqlEncode.cs @@ -11,8 +11,8 @@ public class SqlEncode var user = WebUtility.UrlDecode(ctx.Request.QueryString["user"]); using (var connection = new SqlConnection("")) { - var query = "select * from Users where Name='" + user.Replace("\"", "\"\"") + "'"; - var adapter = new SqlDataAdapter(query, connection); + var query = "select * from Users where Name='" + user.Replace("\"", "\"\"") + "'"; // $ Source[cs/inappropriate-encoding]=r11 + var adapter = new SqlDataAdapter(query, connection); // $ Alert[cs/inappropriate-encoding]=r11 var result = new DataSet(); adapter.Fill(result); return result; diff --git a/csharp/ql/test/query-tests/Security Features/CWE-838/UrlEncode.cs b/csharp/ql/test/query-tests/Security Features/CWE-838/UrlEncode.cs index c43ec2b675a..303a807a577 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-838/UrlEncode.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-838/UrlEncode.cs @@ -7,7 +7,7 @@ public class UrlEncode public static void Bad(string value, HttpContext ctx) { var user = WebUtility.UrlDecode(ctx.Request.QueryString["user"]); - ctx.Response.Redirect("?param=" + WebUtility.HtmlEncode(user)); + ctx.Response.Redirect("?param=" + WebUtility.HtmlEncode(user)); // $ Alert[cs/inappropriate-encoding]=r12 $ Alert[cs/inappropriate-encoding]=r12 } public static void Good(string value, HttpContext ctx)