Convert barrier to MaD

owen-mc · owen-mc · commit 130f8f148b2b · 2026-01-13T10:29:16.000Z
I confirmed that without the model a test fails.
diff --git a/csharp/ql/lib/ext/System.Web.model.yml b/csharp/ql/lib/ext/System.Web.model.yml
@@ -1,4 +1,10 @@
 extensions:
+  - addsTo:
+      pack: codeql/csharp-all
+      extensible: barrierModel
+    data:
+      # The RawUrl property is considered to be safe for URL redirects
+      - ["System.Web", "HttpRequest", False, "get_RawUrl", "()", "", "ReturnValue", "url-redirection", "manual"]
   - addsTo:
       pack: codeql/csharp-all
       extensible: sinkModel
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll
@@ -189,16 +189,6 @@ class HostComparisonSanitizer extends Sanitizer {
   }
 }
 
-/**
- * A call to the getter of the RawUrl property, whose value is considered to be safe for URL
- * redirects.
- */
-class RawUrlSanitizer extends Sanitizer {
-  RawUrlSanitizer() {
-    this.getExpr() = any(SystemWebHttpRequestClass r).getRawUrlProperty().getGetter().getACall()
-  }
-}
-
 /**
  * A string concatenation expression, where the left hand side contains the character "?".
  *

Original file line number	Diff line number	Diff line change
`@@ -189,16 +189,6 @@ class HostComparisonSanitizer extends Sanitizer {`
`189`	`189`	`}`
`190`	`190`	`}`
`191`	`191`
`192`		`-/**`
`193`		`- * A call to the getter of the RawUrl property, whose value is considered to be safe for URL`
`194`		`- * redirects.`
`195`		`- */`
`196`		`-class RawUrlSanitizer extends Sanitizer {`
`197`		`- RawUrlSanitizer() {`
`198`		`- this.getExpr() = any(SystemWebHttpRequestClass r).getRawUrlProperty().getGetter().getACall()`
`199`		`- }`
`200`		`-}`
`201`		`-`
`202`	`192`	`/**`
`203`	`193`	`* A string concatenation expression, where the left hand side contains the character "?".`
`204`	`194`	`*`