Merge pull request #17582 from michaelnebel/csharp/attributecollectionsinks

michaelnebel · web-flow · commit 297d32180cd3 · 2024-09-26T09:17:31.000+02:00
C#: `AttributeCollection` is no longer considered a HTML sink.
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/Html.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/Html.qll
@@ -56,10 +56,9 @@ class HtmlTextWriterSink extends HtmlSink {
 }
 
 /**
- * An expression that is used as an argument to an HTML sink method on
- * `AttributeCollection`.
+ * DEPRECATED: Attribute collections are no longer considered HTML sinks.
  */
-class AttributeCollectionSink extends HtmlSink {
+deprecated class AttributeCollectionSink extends DataFlow::ExprNode {
   AttributeCollectionSink() {
     exists(SystemWebUIAttributeCollectionClass ac, Parameter p |
       p = ac.getAddMethod().getParameter(1) or
diff --git a/csharp/ql/src/change-notes/2024-09-25-attribute-collection-sink.md b/csharp/ql/src/change-notes/2024-09-25-attribute-collection-sink.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* C#: The indexer and `Add` method on `System.Web.UI.AttributeCollection` is no longer considered an HTML sink.
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/AspInline.expected b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/AspInline.expected
@@ -1,5 +1,5 @@
-| script.aspx:4:1:4:23 | <%= ... %> | XSS.cs:115:16:115:29 | someJavascript |
-| script.aspx:8:1:8:12 | <%= ... %> | XSS.cs:122:24:122:28 | Field |
+| script.aspx:4:1:4:23 | <%= ... %> | XSS.cs:120:16:120:29 | someJavascript |
+| script.aspx:8:1:8:12 | <%= ... %> | XSS.cs:127:24:127:28 | Field |
 | script.aspx:12:1:12:14 | <%= ... %> | <outside test directory> | Request |
 | script.aspx:16:1:16:34 | <%= ... %> | <outside test directory> | QueryString |
 | script.aspx:20:1:20:41 | <%= ... %> | <outside test directory> | QueryString |
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.cs
@@ -17,6 +17,7 @@ class XSS
         Table table;
         Label label;
         string connectionString;
+        public Button button;
 
         public void WebUIXSS()
         {
@@ -100,6 +101,10 @@ public void HtmlEncoded(HttpContextBase context)
             // GOOD: HTML encoding
             string name = context.Request.QueryString["name"];
             new StringContent(HttpUtility.HtmlEncode(name));
+
+            // GOOD: Implicit HTML encoding
+            string html = context.Request.QueryString["html"];
+            button.Attributes.Add("data-href", html);
         }
 
         public void UrlEncoded(HttpContextBase context)
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.expected b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.expected

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* C#: The indexer and `Add` method on `System.Web.UI.AttributeCollection` is no longer considered an HTML sink.