add host comparisons as a sanitizer for url-redirect

Author: erik-krogh

csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll

@@ -182,6 +182,31 @@ class RelativeUrlSanitizer extends Sanitizer {
   }
 }
 
+/**
+ * A comparison on the `Host` property of a url, that is a sanitizer for URL redirects.
+ * E.g. `url.Host == "example.org"`
+ */
+private predicate isHostComparisonSanitizer(Guard guard, Expr e, AbstractValue v) {
+  exists(EqualityOperation comparison | comparison = guard |
+    exists(PropertyAccess access | access = comparison.getAnOperand() |
+      access.getProperty().getName() = "Host" and
+      e = access.getQualifier()
+    ) and
+    if comparison instanceof EQExpr
+    then v.(AbstractValues::BooleanValue).getValue() = true
+    else v.(AbstractValues::BooleanValue).getValue() = false
+  )
+}
+
+/**
+ * A comparison on the `Host` property of a url, that is a sanitizer for URL redirects.
+ */
+class HostComparisonSanitizer extends Sanitizer {
+  HostComparisonSanitizer() {
+    this = DataFlow::BarrierGuard<isHostComparisonSanitizer/3>::getABarrierNode()
+  }
+}
+
 /**
  * A call to the getter of the RawUrl property, whose value is considered to be safe for URL
  * redirects.

csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect2.cs

@@ -26,6 +26,10 @@ public void ProcessRequest(HttpContext ctx)
             // GOOD: The redirect is to a relative URL
             ctx.Response.Redirect(url.ToString());
         }
-        
+
+        if (url.Host == "example.org") {
+            // GOOD: The redirect is to a known host
+            ctx.Response.Redirect(url.ToString());
+        }
     }
 }