Adds CodeQL query to check for Pages validateRequest directive

This commit is contained in:
Paulino Calderon
2019-11-16 16:47:28 -05:00
committed by Calum Grant
parent 20513561a0
commit eeffd7cf8d
4 changed files with 99 additions and 0 deletions

View File

@@ -0,0 +1,65 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
<code>Request validation</code>
is a feature in ASP.NET that protects web applications against
potentially malicious content
in requests, specifically against
cross-site scripting attacks (XSS).
</p>
</overview>
<recommendation>
<p>
Enable the directive validateRequest in your web.config file:
<code>
<pages validateRequest="true" />
</code>
</p>
</recommendation>
<example>
<p>
The following example shows the 'validateRequest' flag set to true in
a
<code>Web.config</code>
file for ASP.NET. This will protect the web application against
common XSS attacks:
</p>
<sample src="Web.config.ASPNetPagesValidateRequest.good" />
<p>
If validateRequest is set to
<code>false</code>
, validation is disabled:
</p>
<sample src="Web.config.ASPNetPagesValidateRequest.bad" />
</example>
<references>
<li>
MSDN:
<a
href=https://docs.microsoft.com/en-us/previous-versions/aspnet/hh882339(v=vs.110)?redirectedfrom=MSDN ">Request
Validation in ASP.NET</a>
.
</li>
<li>
MSDN:
<a
href="https://docs.microsoft.com/en-us/previous-versions/aspnet/debza5t0(v=vs.100)?redirectedfrom=MSDN">Validation ASP.NET Controls</a>
.
</li>
</references>
</qhelp>

View File

@@ -0,0 +1,14 @@
/**
* @name Page Request Validation is disabled
* @description ASP.NET Pages should not disable the built-in request validation.
* @kind problem
*/
import csharp
import semmle.code.asp.WebConfig
from SystemWebXMLElement web, XMLAttribute requestvalidateAttribute
where
requestvalidateAttribute = web.getAChild("pages").getAttribute("validateRequest") and
requestvalidateAttribute.getValue().toLowerCase() = "false"
select requestvalidateAttribute, "validateRequest is set to false"

View File

@@ -0,0 +1,10 @@
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<compilation
defaultLanguage="c#"
/>
<pages validateRequest="false" />
...
</system.web>
</configuration>

View File

@@ -0,0 +1,10 @@
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<compilation
defaultLanguage="c#"
/>
<pages validateRequest="true" />
...
</system.web>
</configuration>