C#: Add flow steps for View calls refering to Razor pages #14343
Conversation
joefarebrother
force-pushed
the
csharp-xss-flow-step
branch
from
db1e1e1 to
f3b5d34
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
joefarebrother
changed the title
joefarebrother
changed the title
csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/gen_files.py
Show resolved
Hide resolved
csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Template.g
Show resolved
Hide resolved
...t/resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.Razor.Runtime.cs
Outdated
Show resolved
Hide resolved
| result = this.getNameArgument() | ||
| or | ||
| not exists(this.getNameArgument()) and | ||
| result = this.getActionMethod().getName() |
There was a problem hiding this comment.
Can action methods be generic? If so, we will probably need to strip away the <,...,> suffix.
There was a problem hiding this comment.
According to this SO question, action methods cannot be generic.
joefarebrother
force-pushed
the
csharp-xss-flow-step
branch
from
ce47027 to
db82c52
Compare
There was a problem hiding this comment.
Added some comments/questions mostly related to "MVC" vs "Razor Pages".
Also, a more general question:
Wouldn't we need to model flow from View("path", model) to an ExecuteAsync invocation of an instance of the page that has "path" after its Model property has been set to model?
| /** | ||
| * Gets the filepath of the source file that this class was generated from, | ||
| * relative to the application root. | ||
| */ | ||
| string getSourceFilepath() { result = attr.getArgument(2).(StringLiteral).getValue() } |
There was a problem hiding this comment.
I think we should remove the "relative to the application root" from the QLDoc. In case of standalone extraction the path is absolute. This probably also means that some improvements would be needed for matching the relative path in a View call and the absolute path in RazorCompiledItemAttribute.
There was a problem hiding this comment.
Do you have an example of a database for which the generated files contain absolute paths?
There was a problem hiding this comment.
Any standalone extracted web project will have that. So running the following produces one:
dotnet new mvc --name abc
CODEQL_EXTRACTOR_CSHARP_STANDALONE_EXTRACT_WEB_VIEWS=true codeql database create DB_standalone --language=csharp --source-root=abc -Obuildless=true
The DB contains A/DB_standalone/[...]/DB_standalone/working/razor/907F0B60B9944B50BE8465FB6805A19A/Microsoft.NET.Sdk.Razor.SourceGenerators/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/[...]_abc_Views_Home_Index_cshtml.g.cs which has the attribute with the absolute path:
[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(AspNetCoreGeneratedDocument.[...]_abc_Views_Home_Index), @"mvc.1.0.view", @"[...]/abc/Views/Home/Index.cshtml")]| --- | ||
| category: minorAnalysis | ||
| --- | ||
| * Modelled additional flow steps to track flow from a `View` call in an MVC controller to the corresponding Razor page, which may result in additional results for queries such as `cs/web/xss`. |
There was a problem hiding this comment.
I would avoid using the term "Razor page". "Razor Pages" is a product name within the ASP.NET Core world. See https://learn.microsoft.com/en-us/aspnet/core/razor-pages/.
There was a problem hiding this comment.
What term should be used instead?
There was a problem hiding this comment.
How about "Razor view", "Razor view file", or simply "view file"? The latter seems to be used in the docs.
...rp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Controllers/TestController.cs
Outdated
Show resolved
Hide resolved
| } | ||
|
|
||
| /** A compiler-generated Razor page. */ | ||
| class RazorPage extends Class { |
There was a problem hiding this comment.
Same comment as below, I would avoid using "Razor page". Also, I would call a .cshtml or .razor file a RazorPage, which is not the case here. Should we make the naming a bit more explicit to show that this is the generated RazorPageClass?
Also, should we follow model the class hierarchy used by ASP.NET Core? See the comment on the charpred.
csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/gen_files.py
Outdated
Show resolved
Hide resolved
| attr.getFile() = this.getFile() and | ||
| attr.getType() | ||
| .hasQualifiedName("Microsoft.AspNetCore.Razor.Hosting", "RazorCompiledItemAttribute") |
There was a problem hiding this comment.
Would looking for an RazorCompiledItemMetadataAttribute targeting the class instead work? So something like
attr.getTarget() = this and
attr.getType()
.hasQualifiedName("Microsoft.AspNetCore.Razor.Hosting", "RazorCompiledItemMetadataAttribute")
There was a problem hiding this comment.
I have tried that at some point, and it seemed to not work due to that attribute not appearing in (non-standalone) DBs.
There was a problem hiding this comment.
That's odd and unfortunate. I guess it could also depend on the dotnet version being used. I'm somewhat worried that #14792 doesn't fix the assembly attribute extraction, and then we wouldn't find the RazorCompiledItemAttribute attributes.
There was a problem hiding this comment.
In my integration tests, the RazorCompiledItemAttribute attributes are successfully found.
| // import PathGraph // exclude query predicates with output dependant on the absolute filepath the tests are run in | ||
| from XssNode source, XssNode sink, string message | ||
| where xssFlow(source, sink, message) | ||
| select sink, source, sink, "$@ flows to here and " + message, source, "User-provided value" |
Check warning
Code scanning / CodeQL
Alert message style violation
joefarebrother
force-pushed
the
csharp-xss-flow-step
branch
from
e4bffe7 to
89df162
Compare
|
Yes, the new results in |
|
Should I worry about the failing integration tests? They don't appear to be related to these changes, but I've tied rerunning them a few times. |
Yeah, we need them to pass. |
…e to RazorPageClass
joefarebrother
force-pushed
the
csharp-xss-flow-step
branch
from
7ef3af4 to
befb1cc
Compare
Adds a flow step from the
modelparameter of aViewcall to the Razor page it refers to using this view discovery system, when this can be determined statically.