From 40ea5f582ca9aa232cf55d32cb8c64d0de6d84f9 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Wed, 4 Dec 2024 10:59:11 -0500 Subject: [PATCH 1/4] MarkupString models --- csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml b/csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml index 13c7168a1d19..8617d8e90f0d 100644 --- a/csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml +++ b/csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml @@ -10,3 +10,9 @@ extensions: extensible: summaryModel data: - ["Microsoft.AspNetCore.Components", "NagivationManager", True, "ToAbsoluteUri", "(System.String)", "", "Argument[0]", "ReturnValue", "taint", "manual"] + - addsTo: + pack: codeql/csharp-all + extensible: sinkModel + data: + - ["Microsoft.AspNetCore.Components", "MarkupString", False, "MarkupString", "(System.String)", "", "Argument[0]", "html-injection", "manual"] + - ["Microsoft.AspNetCore.Components", "MarkupString", False, "op_Explicit", "(System.String)", "", "Argument[0]", "html-injection", "manual"] From 0a967325e7b9e3f54df3180c0e6731e81ceff711 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Thu, 12 Dec 2024 16:22:09 -0500 Subject: [PATCH 2/4] Change note --- .../2024-12-12-add-markupstring-as-html-injection-sink.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 csharp/ql/lib/change-notes/2024-12-12-add-markupstring-as-html-injection-sink.md diff --git a/csharp/ql/lib/change-notes/2024-12-12-add-markupstring-as-html-injection-sink.md b/csharp/ql/lib/change-notes/2024-12-12-add-markupstring-as-html-injection-sink.md new file mode 100644 index 000000000000..eb63db4e65e9 --- /dev/null +++ b/csharp/ql/lib/change-notes/2024-12-12-add-markupstring-as-html-injection-sink.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Added the constructor of `Microsoft.AspNetCore.Components.MarkupString` as an `html-injection` sink. This will help catch cross-site scripting resulting from using `MarkupString`. From 8e37a5cd5583fe7bd83e07182da493bb3f4f9ff2 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Thu, 12 Dec 2024 22:05:26 -0500 Subject: [PATCH 3/4] Fix test case --- .../test/library-tests/dataflow/library/FlowSummaries.expected | 2 ++ 1 file changed, 2 insertions(+) diff --git a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected index a7c87af0bfe0..bc4ec5042ab3 100644 --- a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected +++ b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected @@ -250,6 +250,8 @@ sink | Dapper;SqlMapper;QuerySingleOrDefaultAsync;(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable,System.Nullable);Argument[1];sql-injection;manual | | Dapper;SqlMapper;QuerySingleOrDefaultAsync;(System.Data.IDbConnection,System.Type,System.String,System.Object,System.Data.IDbTransaction,System.Nullable,System.Nullable);Argument[2];sql-injection;manual | | Dapper;SqlMapper;QuerySingleOrDefaultAsync;(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable,System.Nullable);Argument[1];sql-injection;manual | +| Microsoft.AspNetCore.Components;MarkupString;MarkupString;(System.String);Argument[0];html-injection;manual | +| Microsoft.AspNetCore.Components;MarkupString;op_Explicit;(System.String);Argument[0];html-injection;manual | | Microsoft.EntityFrameworkCore;RelationalDatabaseFacadeExtensions;ExecuteSqlRaw;(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Collections.Generic.IEnumerable);Argument[1];sql-injection;manual | | Microsoft.EntityFrameworkCore;RelationalDatabaseFacadeExtensions;ExecuteSqlRaw;(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Object[]);Argument[1];sql-injection;manual | | Microsoft.EntityFrameworkCore;RelationalDatabaseFacadeExtensions;ExecuteSqlRawAsync;(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Collections.Generic.IEnumerable,System.Threading.CancellationToken);Argument[1];sql-injection;manual | From 129388c78af3e93cb84f040290cb6cc71b898525 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Fri, 13 Dec 2024 12:48:01 -0500 Subject: [PATCH 4/4] Fix change note --- .../2024-12-12-add-markupstring-as-html-injection-sink.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csharp/ql/lib/change-notes/2024-12-12-add-markupstring-as-html-injection-sink.md b/csharp/ql/lib/change-notes/2024-12-12-add-markupstring-as-html-injection-sink.md index eb63db4e65e9..032edbb1f102 100644 --- a/csharp/ql/lib/change-notes/2024-12-12-add-markupstring-as-html-injection-sink.md +++ b/csharp/ql/lib/change-notes/2024-12-12-add-markupstring-as-html-injection-sink.md @@ -1,4 +1,4 @@ --- category: minorAnalysis --- -* Added the constructor of `Microsoft.AspNetCore.Components.MarkupString` as an `html-injection` sink. This will help catch cross-site scripting resulting from using `MarkupString`. +* Added the constructor and explicit cast operator of `Microsoft.AspNetCore.Components.MarkupString` as an `html-injection` sink. This will help catch cross-site scripting resulting from using `MarkupString`.