From 8ce21c4f0a9a23f485474defadf7d707a4c804d7 Mon Sep 17 00:00:00 2001 From: Kevin Stubbings Date: Mon, 25 Aug 2025 23:24:49 -0700 Subject: [PATCH 1/5] Increase accuracy of user controlled data --- .../lib/ext/Microsoft.AspNetCore.Components.model.yml | 1 - .../csharp/security/dataflow/flowsources/Remote.qll | 11 +++++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml b/csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml index 396fca44dd37..daf7e00885d8 100644 --- a/csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml +++ b/csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml @@ -3,7 +3,6 @@ extensions: pack: codeql/csharp-all extensible: sourceModel data: - - ["Microsoft.AspNetCore.Components", "NavigationManager", True, "get_BaseUri", "", "", "ReturnValue", "remote", "manual"] - ["Microsoft.AspNetCore.Components", "NavigationManager", True, "get_Uri", "", "", "ReturnValue", "remote", "manual"] - ["Microsoft.AspNetCore.Components", "SupplyParameterFromFormAttribute", False, "", "", "Attribute.Getter", "ReturnValue", "remote", "manual"] - ["Microsoft.AspNetCore.Components", "SupplyParameterFromQueryAttribute", False, "", "", "Attribute.Getter", "ReturnValue", "remote", "manual"] diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll index 2906fde4e1de..f6149ef883ff 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll @@ -237,8 +237,15 @@ class AspNetCoreQueryRemoteFlowSource extends AspNetCoreRemoteFlowSource, DataFl t instanceof MicrosoftAspNetCoreHttpQueryCollection or t instanceof MicrosoftAspNetCoreHttpQueryString | - this.getExpr().(Call).getTarget().getDeclaringType() = t or - this.asExpr().(Access).getTarget().getDeclaringType() = t + ( + this.getExpr().(Call).getTarget().getDeclaringType() = t or + this.asExpr().(Access).getTarget().getDeclaringType() = t + ) and + not this.asExpr() + .(MemberAccess) + .getQualifiedDeclaration() + .hasFullyQualifiedName("Microsoft.AspNetCore.Http", "HttpRequest", + ["Method", "Scheme", "IsHttps", "Protocol"]) ) or exists(Call c | From cf8c8f018664890bbcbb24b95a0eebe9541d6029 Mon Sep 17 00:00:00 2001 From: Kevin Stubbings Date: Mon, 25 Aug 2025 23:31:39 -0700 Subject: [PATCH 2/5] Add change note --- csharp/ql/src/change-notes/2025-08-25.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 csharp/ql/src/change-notes/2025-08-25.md diff --git a/csharp/ql/src/change-notes/2025-08-25.md b/csharp/ql/src/change-notes/2025-08-25.md new file mode 100644 index 000000000000..a819680b43f7 --- /dev/null +++ b/csharp/ql/src/change-notes/2025-08-25.md @@ -0,0 +1,4 @@ +--- +category: fix +--- +* `NavigationManager.BaseUri` and certain fields in `Microsoft.AspNetCore.Http.HttpRequest` have been removed from `RemoteFlowSource`. This means query `cs/request-forgery` will have significantly less FPs. \ No newline at end of file From 881aae607df87d9a34b37a8038054da93ad122f0 Mon Sep 17 00:00:00 2001 From: Kevin Stubbings Date: Tue, 26 Aug 2025 00:21:50 -0700 Subject: [PATCH 3/5] change changenote name --- ...d => 2025-08-25-BaseURI-and-HttpRequest-Source-Improvement.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename csharp/ql/src/change-notes/{2025-08-25.md => 2025-08-25-BaseURI-and-HttpRequest-Source-Improvement.md} (100%) diff --git a/csharp/ql/src/change-notes/2025-08-25.md b/csharp/ql/src/change-notes/2025-08-25-BaseURI-and-HttpRequest-Source-Improvement.md similarity index 100% rename from csharp/ql/src/change-notes/2025-08-25.md rename to csharp/ql/src/change-notes/2025-08-25-BaseURI-and-HttpRequest-Source-Improvement.md From c4c77e8549b54876dca3c0b1c8360baca21319bf Mon Sep 17 00:00:00 2001 From: Kevin Stubbings Date: Tue, 2 Sep 2025 01:58:23 -0700 Subject: [PATCH 4/5] Update branch and fix method --- .../semmle/code/csharp/security/dataflow/flowsources/Remote.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll index f6149ef883ff..c3bc5cc2ee83 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll @@ -243,7 +243,7 @@ class AspNetCoreQueryRemoteFlowSource extends AspNetCoreRemoteFlowSource, DataFl ) and not this.asExpr() .(MemberAccess) - .getQualifiedDeclaration() + .getTarget() .hasFullyQualifiedName("Microsoft.AspNetCore.Http", "HttpRequest", ["Method", "Scheme", "IsHttps", "Protocol"]) ) From 1c6fd40d82b2591831c23dfcd266bf7f2091cd5c Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 27 Oct 2025 08:32:08 +0100 Subject: [PATCH 5/5] C#: Update test expected files. --- .../test/library-tests/dataflow/library/FlowSummaries.expected | 1 - 1 file changed, 1 deletion(-) diff --git a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected index 8ffcd84e54ba..29862a5ff92f 100644 --- a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected +++ b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected @@ -90,7 +90,6 @@ source | Dapper;SqlMapper;QuerySingleOrDefaultAsync;(System.Data.IDbConnection,System.Type,System.String,System.Object,System.Data.IDbTransaction,System.Nullable,System.Nullable);ReturnValue;database;manual | | Dapper;SqlMapper;QuerySingleOrDefaultAsync;(System.Data.IDbConnection,Dapper.CommandDefinition);ReturnValue;database;manual | | Dapper;SqlMapper;QuerySingleOrDefaultAsync;(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable,System.Nullable);ReturnValue;database;manual | -| Microsoft.AspNetCore.Components;NavigationManager;get_BaseUri;();ReturnValue;remote;manual | | Microsoft.AspNetCore.Components;NavigationManager;get_Uri;();ReturnValue;remote;manual | | Microsoft.Extensions.Configuration.UserSecrets;PathHelper;GetSecretsPathFromSecretsId;(System.String);ReturnValue;environment;df-generated | | Microsoft.Extensions.Configuration;EnvironmentVariablesExtensions;AddEnvironmentVariables;(Microsoft.Extensions.Configuration.IConfigurationBuilder);Argument[0];environment;manual |