diff --git a/csharp/ql/lib/change-notes/2024-12-12-add-markupstring-as-html-injection-sink.md b/csharp/ql/lib/change-notes/2024-12-12-add-markupstring-as-html-injection-sink.md new file mode 100644 index 000000000000..032edbb1f102 --- /dev/null +++ b/csharp/ql/lib/change-notes/2024-12-12-add-markupstring-as-html-injection-sink.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Added the constructor and explicit cast operator of `Microsoft.AspNetCore.Components.MarkupString` as an `html-injection` sink. This will help catch cross-site scripting resulting from using `MarkupString`. diff --git a/csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml b/csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml index 13c7168a1d19..8617d8e90f0d 100644 --- a/csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml +++ b/csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml @@ -10,3 +10,9 @@ extensions: extensible: summaryModel data: - ["Microsoft.AspNetCore.Components", "NagivationManager", True, "ToAbsoluteUri", "(System.String)", "", "Argument[0]", "ReturnValue", "taint", "manual"] + - addsTo: + pack: codeql/csharp-all + extensible: sinkModel + data: + - ["Microsoft.AspNetCore.Components", "MarkupString", False, "MarkupString", "(System.String)", "", "Argument[0]", "html-injection", "manual"] + - ["Microsoft.AspNetCore.Components", "MarkupString", False, "op_Explicit", "(System.String)", "", "Argument[0]", "html-injection", "manual"] diff --git a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected index 18728d5198dc..e08060fe3436 100644 --- a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected +++ b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected @@ -250,6 +250,8 @@ sink | Dapper;SqlMapper;QuerySingleOrDefaultAsync;(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable,System.Nullable);Argument[1];sql-injection;manual | | Dapper;SqlMapper;QuerySingleOrDefaultAsync;(System.Data.IDbConnection,System.Type,System.String,System.Object,System.Data.IDbTransaction,System.Nullable,System.Nullable);Argument[2];sql-injection;manual | | Dapper;SqlMapper;QuerySingleOrDefaultAsync;(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable,System.Nullable);Argument[1];sql-injection;manual | +| Microsoft.AspNetCore.Components;MarkupString;MarkupString;(System.String);Argument[0];html-injection;manual | +| Microsoft.AspNetCore.Components;MarkupString;op_Explicit;(System.String);Argument[0];html-injection;manual | | Microsoft.EntityFrameworkCore;RelationalDatabaseFacadeExtensions;ExecuteSqlRaw;(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Collections.Generic.IEnumerable);Argument[1];sql-injection;manual | | Microsoft.EntityFrameworkCore;RelationalDatabaseFacadeExtensions;ExecuteSqlRaw;(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Object[]);Argument[1];sql-injection;manual | | Microsoft.EntityFrameworkCore;RelationalDatabaseFacadeExtensions;ExecuteSqlRawAsync;(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Collections.Generic.IEnumerable,System.Threading.CancellationToken);Argument[1];sql-injection;manual |